Medicare Financial Management Manual Chapter 7 - Internal Control Requirements

Table of Contents

(Rev. 10614, 03-23-21)

Transmittals for Chapter 7 10 – Introduction

10.1 – Authority 10.1.1– Federal Managers' Financial Integrity Act of 1982 (FMFIA) 10.1.2 – FMFIA and the CMS Medicare Contractor Contract 10.1.3 – Chief Financial Officers Act of 1990 (CFO) 10.1.4 – OMB Circular A-123 10.1.5 – GAO Standards for Internal Controls in the Federal Government

10.2 – GAO Standards in the Federal Government 10.2.1 – Definition and Objectives 10.2.2 – Fundamental Concepts 10.2.3 – Standards for Internal Control

10.2.3.1 – Control Environment 10.2.3.2 – Risk Assessment 10.2.3.3 – Control Activities 10.2.3.4 – Information and Communication 10.2.3.5 – Monitoring

20 – CMS Contractor Internal Control Review Process and Timeline 20.1 – Risk Assessment

20.1.1 – Risk Analysis Chart 20.2 – Internal Control Objectives

20.2.1 – CMS Contractor Control Objectives 20.3 – Policies and Procedures 20.4 – Testing Methods 20.5 – Documentation and Working Papers

30 - Internal Control Reporting Requirements 30.1 – Certification Package for Internal Controls (CPIC) Requirements

30.1.1 – OMB Circular A-123 Appendix A: Internal Control Over Financial Reporting (ICOFR)

30.2 – Certification Statement 30.3 – Executive Summary 30.4 – CPIC - Report of Material Weaknesses 30.5 – CPIC- Report of Internal Control Deficiencies 30.6 – Definitions of Control Deficiency, Significant Deficiency, and Material Weaknesses 30.7 – Material Weaknesses Identified During the Reporting Period 30.8 – Statement on Standards for Attestation Engagements (SSAE) Number 18 (SSAE 18), Reporting on Controls at Service Providers 30.9 – List of Complementary User Entity Controls (CUECs)

30.9.1 – A CUECs – Information Systems 30.9.2 – B CUECs – Claims Processing 30.9.3 – F CUECs – Medical Review (MR) 30.9.4 – G CUECs – Medicare Secondary Payer (MSP) 30.9.5 – I – CUECs Provider Audit 30.9.6 – J CUECs – Financial

30.9.6.1 – J CUECs – Financial (Non-HIGLAS) 30.9.6.2 – J CUECs – Financial (HIGLAS)

30.9.7 – K CUECs – Debt Referral (MSP and Non-MSP) 30.9.7.1 – K CUECs – Debt Referral (MSP and Non-MSP) (Non-HIGLAS) 30.9.7.2 – K CUECs – Debt Referral (MSP and Non-MSP) (HIGLAS)

30.9.8 – L CUECs – Non-MSP Debt Collection 40 – Corrective Action Plans 40.1 – Submission, Review, and Approval of Corrective Action Plans 40.2 – Corrective Action Plan (CAP) Reports 40.3 – CMS Finding Numbers 40.4 – Initial CAP Report 40.5 – Quarterly CAP Report 40.6 – CMS CAP Report Template

50 – List of CMS Contractor Control Objectives 50.1 – A Controls – Information Systems 50.2 – B Controls – Claims Processing 50.3 – C Controls – Appeals 50.4 – D Controls – Beneficiary / Provider Services 50.5 – E Controls – Complementary Credits 50.6 – F Controls – Medical Review (MR) 50.7 – G Controls – Medicare Secondary Payer (MSP) 50.8 – H Controls – Administrative 50.9 – I Controls – Provider Audit 50.10 – J Controls – Financial Reporting Review Requirements 50.11 – K Controls – Debt Referral (MSP and Non-MSP) 50.12 – L Controls – Non-MSP Debt Collection 50.13 – M Controls – Provider Enrollment

60 – CMS Contractor Cycle Memo 60.1 – CMS Contractor Cycle Memo Outline

70 – List of Commonly Used Acronyms

10 - Introduction (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) Chapter 7: Internal Control Requirements provides guidelines and policies to the CMS contractors in enabling them to strengthen their internal controls procedures. The CMS contracts with companies to administer the Medicare program under the Social Security Act and the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA). The contractors shall administer the Medicare program efficiently and economically in order to achieve the program objectives. Internal controls are an essential part of managing an organization. Additionally, internal controls also serves as the first line of defense in safeguarding assets and preventing and detecting errors and or fraud. In summary, internal controls assists government program managers in achieving desired results through effective stewardship of public resources. End Section 10 – Introduction: Back to Table of Contents 10.1 - Authority (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) The Federal Managers' Financial Integrity Act of 1982 (FMFIA) establishes internal control requirements that shall be met by CMS. For CMS to meet the requirements of FMFIA, CMS contractors shall demonstrate that they are in compliance with the FMFIA guidelines. End Section 10.1 – Authority: Back to Table of Contents 10.1.1 - Federal Managers' Financial Integrity Act of 1982 (FMFIA) (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) The FMFIA requires that internal accounting and administrative controls of each executive agency be established in accordance with the standards prescribed by the Comptroller General. Under FMFIA, the Office of Management and Budget (OMB) establishes guidelines for agencies to evaluate their systems of internal accounting and administrative control to determine such systems' compliance with the standards established by the Comptroller General. Under the prescribed standards of the FMFIA, agencies must provide reasonable assurance to the President and Congress on an annual basis that:

1. Obligations and costs are in compliance with applicable law; 2. Funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or

misappropriation; and 3. Revenues and expenditures applicable to agency operations are properly recorded and accounted for

to permit the preparation of accounts, reliable financial and statistical reports, and to maintain accountability over the assets.

End Section 10.1.1 – Federal Managers' Financial Integrity Act of 1982 (FMFIA): Back to Table of Contents 10.1.2 - FMFIA and the CMS Medicare Contractor Contract (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) The CMS contract with its Medicare Title XVIII contractors includes an article titled FMFIA. In this article, the contractor agrees to cooperate with CMS in the development of procedures permitting CMS to comply with FMFIA and other related standards prescribed by the Comptroller General of the United States. The Medicare Part A and Part B (A/B) Medicare Administrative Contractor (MAC), Durable Medical Equipment (DME) MAC, and Specialty MAC (SMAC) (A/B, DME, & Specialty MACs) Statements of Work (SOW)

states that, “the contractor shall establish and maintain efficient and effective internal controls to perform the requirements of the contract in accordance with IOM Pub. 100-06, Chapter 7”. Under various provisions of the Social Security Act, and the Medicare Prescription Drug, Improvement Modernization Act of 2003 (MMA), contractors shall be evaluated by CMS on administrative service performance. The CMS evaluates contractor’s performance by various internal and external reviews. To further sensitize the contractors as to the importance of FMFIA compliance, CMS requires the contractors to annually provide assurance that internal controls are in place and to identify and correct any areas of weakness in their operations. The vehicle used by the contractors to provide this assurance is the Certification Package for Internal Controls (CPIC). The CPIC includes a self-certification representation that the contractor’s internal controls are in compliance with FMFIA expectations, that the contractor recognizes the importance of internal controls, and the contractor has provided required documentation in the package. End Section 10.1.2 – FMFIA and the CMS Medicare Contractor Contract: Back to Table of Contents 10.1.3 - Chief Financial Officers Act of 1990 (CFO) (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) The CFO Act of 1990 established a leadership structure, provided for long range planning, required audited financial statements, and strengthened accountability reporting. The aim of the CFO Act is to improve financial management systems and information. The CFO Act also requires the development and maintenance of agency financial management systems that comply with: applicable accounting principles, standards, and requirements; internal control standards; and requirements of OMB, the Department of the Treasury, and others. Under the CFO Act, CMS is subject to an annual financial statement audit. Contractors may be included in the annual financial statement audit and shall fully cooperate as needed with the audit. End Section 10.1.3 – Chief Financial Officers Act of 1990 (CFO): Back to Table of Contents 10.1.4 - OMB Circular A-123 (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) A revised OMB Circular A-123, Management’s Responsibility for Internal Control, issued in December 21, 2004 under the authority of FMFIA, provided specific requirements for assessing and reporting on internal controls. In July 2016, OMB Circular A-123 was again revised, and the title was changed to Management’s Responsibility for Enterprise Risk Management and Internal Control. This Circular defines management’s responsibilities for enterprise risk management (ERM) and internal control. The Circular provides updated implementation guidance to federal managers to improve accountability and effectiveness of federal programs as well as mission-support operations through implementation of ERM practices and by establishing, maintaining, and assessing internal control effectiveness. The Circular emphasizes the need to integrate and coordinate risk management and strong and effective internal control into existing business activities and as an integral part of managing an Agency. Pursuant to OMB Circular A-123, agencies are required to provide an annual assurance statement which represents the agency head’s informed judgment as to the overall adequacy and effectiveness of internal controls related to operations, reporting, and compliance. Appendix A to OMB, Internal Control Over Financial Reporting, was issued in 2004, which required the heads of certain federal agencies to annually document and assess internal controls over financial reporting and report the results in a management assurance statement. In June 2018, an updated version of Appendix A, Management of Reporting and Data Integrity Risk was issued, which among other changes, aligns Appendix A with the 2014 update to the Government Accountability Office (GAO) Green Book in part, by expanding the scope from ICOFR to include internal control over reporting (ICOR).

CMS conducts annual A-123 internal control reviews. Contractors will be subject to the annual A-123 internal control review. In lieu of an A-123 internal control review, contractors may be selected for a Statement on Standards for Attestation Engagements No. 18 (SSAE-18) internal control examination. End Section 10.1.4 – OMB Circular A-123: Back to Table of Contents 10.1.5 - GAO Standards for Internal Controls in the Federal Government (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) The FMFIA requires the GAO to prescribe standards for internal control in government, more commonly known as the Green Book. GAO's "Standards for Internal Controls in the Federal Government" were updated in September 2014. These standards provide the internal control framework and criteria for designing, implementing, and operating an effective system of internal control. The Green Book defines internal control as a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity are achieved. These are the internal control standards that CMS and its contractors must follow. See Section 10.2 for more information regarding GAO Standards for Internal Controls in the Federal Government. End Section 10.1.5 – GAO Standards for Internal Controls in the Federal Government: Back to Table of Contents 10.2 - GAO Standards in the Federal Government (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) Back to Table of Contents 10.2.1 - Definition and Objectives (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) Internal controls are the checks and balances that ensure that operational objectives are carried out as planned in the most effective and efficient manner possible. We should not look upon these controls as separate specialized systems, but as integral parts of each system that management uses to accomplish the objectives of the Medicare program. In this regard internal controls are not just financial tools that safeguard assets, but are tools that are of vital importance to day-to-day programmatic and administrative operations as well. Internal control should be the first thought in CMS' oversight process. That is, can we be sure that there are adequate internal controls in place and operating effectively for the process we are evaluating? Internal controls are an integral part of an organization's management to provide reasonable assurance that the following objectives are being achieved:

• Effectiveness and efficiency of operations; • Reliability of reporting; and • Compliance with applicable laws and regulations

Internal control also serves as the first line of defense in safeguarding assets and preventing and detecting errors and fraud. In short, internal control, which is synonymous with management control, helps program managers achieve desired results through effective stewardship of resources. End Section 10.2.1 – Definition and Objectives: Back to Table of Contents

10.2.2 - Fundamental Concepts (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) Three fundamental concepts provide the underlying framework for designing and applying the internal control standards. A. A continuous built-in component of operations Internal control includes measures and practices that are used to mitigate risks and exposures that could potentially prevent an organization from achieving its goals and objectives. Internal control is not one event or circumstance, but a series of actions that permeate an organization's activities. These actions are pervasive and are inherent in the way management runs the organization. Internal controls involve an organization-wide commitment that defines and implements a continuous process of assessing, monitoring, and tracking activities and risks, through an integrated and effective communication mechanism. B. Are effected by people An organization's management directs internal control, which is carried out by the people within that organization. Management's commitment to establish strong internal control affects the organization's practices. Management sets goals and policies, provides resources, and monitors and evaluates the performance of the organization. The organization's internal control environment is established by these policies and is controlled by available resources. Although internal control begins with this established environment, the employees make it work and must be adequately trained. It is the manner in which the entire organization embraces the internal control that affects their accountability and operational results. C. Provide reasonable assurance, not absolute assurance Reasonable assurance indicates that an internal control system, no matter how well conceived and operated, can provide only reasonable, not absolute, assurance regarding achievement of an entity's objectives, and further indicates that the likelihood of achievement of these objectives is affected by limitations inherent in all internal control systems. Examples of limitations are:

a. Judgment - the effectiveness of controls will be limited by decisions made by human judgment under pressures to conduct business based on information at hand;

b. Breakdowns - even well designed internal controls can break down. Employees sometimes

misunderstand instructions or simply make mistakes. Errors may also result from new technology and the complexity of computerized information systems;

c. Management Override - high-level personnel may be able to override prescribed policies and

procedures for personal gain or advantage. This should not be confused with management intervention, which represents management actions to depart from prescribed policies and procedures for legitimate purposes;

d. Collusion - control systems can be circumvented by employee collusion. Individuals acting

collectively can alter financial data or other management information in a manner that cannot be identified by control systems.

End Section 10.2.2 – Fundamental Concepts: Back to Table of Contents

10.2.3 - Standards for Internal Control (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) Internal control consists of five interrelated standards. The GAO "Standards for Internal Control in the Federal Government" describes these five standards:

A. Control environment; B. Risk assessment; C. Control activities; D. Information and communication; and E. Monitoring.

Each of these internal control standards plays an important role in the overall control environment of an organization. These standards define the minimum level of quality acceptable for internal control in government and provide the basis against which the internal control is to be evaluated. While each internal control standard is an integral part of the management process and plays a specific role, it is the combination of these standards that establishes internal control in an organization. The control environment provides the discipline and atmosphere in which the organization conducts its activities and carries out its control responsibilities. It also serves as the foundation for the other standards. Within this environment, management conducts risk assessments to assess the potential effect of internal and external risks in achieving the organization's objectives. Control activities are implemented to help ensure that management directives are carried out as planned. Relevant information is captured and communicated in a timely and effective manner throughout the organization on an ongoing basis. The organization's operations are continuously monitored as an integral part of the organization's performance evaluation. End Section 10.2.3 – Standards for Internal Control: Back to Table of Contents

10.2.3.1 - Control Environment (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) Management and employees should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management. The control environment of an organization sets the tone of an organization, influencing the internal control consciousness of its people. It is the foundation for all other standards of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the organization's people; management's philosophy and operating style; and the way management assigns authority and responsibility and organizes and develops its human resources. End Section 10.2.3.1 – Control Environment: Back to Table of Contents 10.2.3.2 - Risk Assessment (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) Every organization faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of control objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to the achievement of established objectives. A key factor in the consideration of an internal control structure is the importance and risk associated with a program and its associated cost effectiveness. When determining whether a particular control objective should be established, the risk of failure and the potential affect must be considered along with the cost of establishing the control. End Section 10.2.3.2 – Risk Assessment: Back to Table of Contents 10.2.3.3 - Control Activities (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) The control activities help ensure that management's directives are carried out. The control activities should be effective and efficient in accomplishing the organization's control objectives. Control activities are the written activities used to support policies and procedures that help ensure management directives are carried out. Also see Section 20.3. They help ensure that necessary actions are taken to address potential risks that may affect the organization's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications,

reconciliation, performance reviews, security of assets, and segregation of duties. For examples of Non-Information Systems and Information Systems control activities, please see the GAO – Internal Control Management and Evaluation Tool at the following hyperlink: Hyperlink: The USGAO-ICS: Internal Control Management and Evaluation Tool of August 2001 (GAO-01-1008G) [www.gao.gov/new.items/d011008g.pdf] End Section 10.2.3.3 – Control Activities: Back to Table of Contents

10.2.3.4 - Information and Communication (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) Information should be recorded and communicated to management and others within the entity who need it and in a form and within a time frame that enables them to carry out their internal control and other responsibilities. Pertinent information shall be identified, captured, and communicated in a form and time frame that enables employees to carry out their responsibilities. Information systems produce reports containing operational, financial, and compliance related information that make it possible to control the organization. Information systems deal not only with internally generated data, but also information about external events, activities and conditions necessary for informed decision making and external reporting. Effective communication also must occur in a broader sense, flowing down, across, and up the organizational structure. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information throughout the organization. The organization must also effectively communicate with external parties, such as customers, suppliers, state officials, and legislators. End Section 10.2.3.4 – Information and Communication: Back to Table of Contents 10.2.3.5 - Monitoring (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) Internal control monitoring should assess the quality of performance over time and ensure that the observations and findings of audits and other reviews are promptly resolved.

Internal control systems need to be monitored. Monitoring is a process that assesses the quality of the system's performance over time. Internal control should generally be designed to assure that ongoing monitoring occurs in the course of normal operations. This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring includes regular management and supervisory activities, and other actions (such as periodic reviews, reconciliations, or comparison of data) personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. End Sections 10.2.3.5 – Monitoring and 10.2 – GAO Standards in the Federal Government: Back to Table of Contents 20 - CMS Contractor Internal Control Review Process and Timeline (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) NOTE: The following CMS Fiscal Year Calendar of Events and Activities timeline is provided as a guide and is not considered absolute. Contractors may use the guideline as a reference. Fiscal Year Calendar of Events and Activities Month Activity IOM Section October 1. Incorporate updated IOM changes

2. Updated Certification Package for Internal Controls (CPIC) Report Due: Five (5) business days after September 30th

Reporting Period: July 1st – September 30th 3. Submit SSAE-18 Bridge Letters

Due: 5 Business Days after September 30th Reporting Period: April 1st – September 30th

4. Begin the Risk Assessment Process 5. Begin updating Standard Operating Procedures

- Section 20.1 – Risk Assessment - Section 30.1 – Certification Package for Internal

Controls (CPIC) Requirements - Section 30.2 – Certification Statement - Section 30.8 –Statement on Standards for Attestation

Engagements (SSAE) Number 18, (SSAE 18) Reporting on Controls at Service Providers

January 6. SSAE 18 Examinations (A/B, DME, & Specialty MACs) Start 7. Update and Submit A-123 Cycle Memos to CMS Central Office

Due: 15 Business Days after December 31st

- Section 30.8 –Statement on Standards for Attestation Engagements (SSAE) Number 18, (SSAE 18) Reporting on Controls at Service Providers

February 8. Prepare for A-123 or SSAE 18 audit onsite reviews

Month Activity IOM Section June 9. Begin preparing CPIC for all geographical locations.

10. Update CPIC Report of Internal Control Deficiencies 11. Draft SSAE-18 and CAP Follow Up Reports Issued Due: June 1st Reporting Period: October 1st - March 31st 12. Prepare to Draft CPIC and SSAE 18 Corrective Action Plans CAPs

July 1. Final SSAE-18 and CAP Follow Up Reports Issued Due: July 1st Reporting Period: October 1st - March 31st

2. Submit CPIC Report - Certification Statement - Executive Summary - Description/Documentation of the Risk Assessment Process - Report of Material Weaknesses - Report of Control & Significant Deficiencies

Due: 15 Business Days after June 30th Reporting Period: October 1st - June 30th

- Section 30.8 –Statement on Standards for Attestation Engagements (SSAE) Number 18, (SSAE 18) Reporting on Controls at Service Providers

- Section 30.1 – Certification Package for Internal Controls (CPIC) Requirements

- Section 30.2 – Certification Statement - Section 30.3 – Executive Summary - Section 20.1 – Risk Assessment - Section 30.4 – CPIC – Report of Material Weaknesses

- Section 30.5 – CPIC – Report of Control Deficiencies

August 3. Review updated IOM to evaluate changes required to your system of operations

4. Submit SSAE 18 CAPs Due: 45 Days after Final SSAE 18 Reports

5. Submit CPIC CAPs Due: 45 Days after CPIC Reports

- Section 40.1 – Submission, Review, and Approval of Corrective Action Plans

September 6. Determine if any new material weaknesses were identified since the CPIC Report in July

20.1 - Risk Assessment (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) Risk assessment identifies areas that should be reviewed to determine which components of an organization's operation present the highest probability of waste, loss, or misappropriation. The risk assessment process is the identification, measurement, prioritization, and mitigation of risks. This process is intended to provide the contractors with:

• Direction for what areas should get priority attention from management due to the nature, sensitivity, and importance of the area's operations;

• A preliminary judgment from managers about the adequacy of existing internal control policies and

procedures to minimize or detect problems; and • An early indication of where potential internal control weaknesses exist that should be corrected.

The CMS requires contractors to perform an annual risk assessment, to identify the most critical areas and areas of greatest risk to be subjected to a review. Operational managers with knowledge and experience in their particular business area shall perform risk assessments. Outside sources can assist with this process, but should not be solely relied upon (e.g., Internal Audit departments, SSAE 18 audits, OMB Circular A-123 Appendix A reviews, etc.). When performing your yearly risk assessment, you are to consider all results from final reports issued during the fiscal year from internal and external reviews including GAO, OIG, CFO audit, Contractor Performance Evaluation (CPE), CPIC, Contractor’s Monthly Bank Reconciliation Worksheet (CMBRW) and 1522 reviews, A-123 Appendix A reviews and results of your own or CMS-sponsored SSAE 18 audits. Any of these findings could impact your risk assessment and preparation of your certification statement. Your risk assessment process shall provide sufficient documentation to fully explain the reasoning behind and the planned testing methodology for each selected area. The contractor shall submit a description of the risk assessment process to CMS as an attachment with the annual CPIC and maintain sufficient documentation to support the risk assessment process. Examples of sufficient documentation are meeting agendas, meeting notes or minutes, and emails. The documentation should be readily available for CMS review. Below are the elements to include in the description or methodology of your risk assessment process:

• Who - List who is involved and state their roles and responsibilities. • Where - List the geographical location(s) for which the certification applies. For multi-site

contractors, review and explain the roles for all sites, i.e., do they do their own risk assessment and control objective testing. Describe the certification process for geographical locations.

• What – Describe the risk factors and the risk assessment process. • When - List when the risk assessment process was completed. • Why – Prioritize control objectives based upon their level of risk while ensuring high risk areas are

reviewed in accordance with the scoring criteria guidelines in Section 20.1.

NOTE: The A/B, DME, and Specialty MAC SOW may also include requirements regarding review of CMS control objectives.

• How – Describe the scoring methodology and provide a description and definition for each risk and

exposure factor. Include specific value ranges used in your scoring methodology.

The contractor is encouraged to exceed the risk assessment approach provided below based on its unique operations. The risk assessment process shall at a minimum include the following and shall be submitted as part of the CPIC package: Step 1 - Segment Operations Segment the contractor’s operation into common operational areas of activity that can be evaluated. List the primary components of the unit with consideration to the business purpose, objectives, or goals of the auditable unit. Limit the list to the primary activities designed to achieve the goals and objectives of the auditable unit. Include the CMS control objectives applicable to each auditable unit. Step 2 - Prioritize Risk and Exposure Factors Identify the primary risks and exposure factors that could jeopardize the achievement of the goals and objectives of the unit as well as the organization's ability to achieve the objectives of reliable financial reporting, safeguarding of assets, and compliance with budget, laws, regulations and instructions. Risk and exposure factors can arise due to both internal and external circumstances. Document the definitions and methodology of the risk and exposure factors used in the risk assessment process. Step 3 – Create a Matrix to Illustrate the Prioritization of Risk and Exposure Factors Create a matrix listing on the left axis by operational areas of activity (see Step 1 above). The top axis should list all the risk and exposure factors of concern and determine the weight each column should have. Some columns may weigh more than other columns. Develop a scoring methodology and provide a description and definitions of this methodology used for each risk or exposure factor. This methodology can use an absolute ranking or relative risk identification. Absolute ranking would assign predefined quantifiable measures such as dollars, volume, or some other factor in ranges that would equate to a ranking score such as high, medium or low. Relative risk ranking involves identifying the risk and exposure factors into natural clusters by definition and assigning values to these clusters. Include a legend with the score ranges representing high-risk, medium-risk, and low-risk on the risk matrix. Assign a score to each cell based on the methodology predetermined. Retain notes to support scoring of key risk factors such as “prior audits” and factors that are scored very high or very low. This will assist CMS in evaluating the reasonableness of your risk assessment results. Total the scores for each line item (control objective). The higher scores for each line item will prioritize the risk areas for consideration to be reviewed to support the CPIC. If a high risk control objective is included in a current year Type II SSAE 18 audit, or A-123 Appendix A review, you may rely on the SSAE 18 audit, or A-123 Appendix A review testing and document this as the rationale for excluding it from testing. The CMS considers system security to be a high risk area. Therefore, contractors shall include control objective A.1 in their CPIC each year. All contractors are required to certify their system security compliance. Contractors shall verify that a system's security plan meet CMS’ Minimum Security Requirements as defined by the Business Partners Systems Security Manual (BPSSM). Contractors should write a few paragraphs to self-certify that their organization has successfully completed all required security activities including the security self-assessment of their Medicare IT systems and associated software in accordance with the terms of their Contract. For more details, please see Section 3.4 – Certification of the BPSSM, which can be found at the following hyperlink: Hyperlink: CMS IOM Publication #: 100-17, CMS Business Partners Systems Security Manual, Revision #: 12, Issued: 11/15/2013 [https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/117_Systems_security.pdf] Also, include the results of the testing of A.1 in the Executive Summary. See Section 30.3.

End Section 20.1 – Risk Assessment: Back to Table of Contents 20.1.1- Risk Analysis Chart (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18)

Table 1 - This chart is provided to assist contractors in selecting the high-risk activities within their organization. There are 3 columns that gives directions on how to rank operational areas for potential risk.

HIGH RISK FACTORS (1)

MEDIUM RISK FACTORS (2)

LOW RISK FACTORS (3)

• Recent review or audit findings showing material weaknesses related to internal control processes.

• Areas affected by significant changes in laws, regulations, special requirements or instructions.

• Areas where policies and procedures regarding internal control over financial reporting are not well documented.

• Areas of significant financial vulnerabilities (e. g., new accounting or regulatory guidelines).

• Areas where guidelines have varied interpretations and/or areas being restructured.

• Areas with new contract activities.

• Areas where objectives of the corporate mission could be in jeopardy if not properly implemented.

• Areas lacking performance measures or monitoring.

• Potential program weaknesses related to violation of privacy issues.

• Areas with high visibility.

• Areas where due dates are often not met or responses to correspondence are late.

• Areas with consistent complaints or inquiry.

• Areas where there are no written policies and procedures.

• Areas where recent policy changes were implemented.

• Areas with reorganization activities.

• Areas where there is a breakdown in communication with corporate, regional, state or satellite offices, etc.

• Areas with new or problematic performance measures.

• Areas where CAPs have already been implemented.

• Areas with low visibility; routine program operations.

• Areas where workers are meeting routine program operations and performance targets and attitudes and staff motivations are high.

• Areas that undergo frequent financial audits/ reviews by external parties (e.g., CFO, SSAE 18, A-123 Appendix A, CPIC, etc.).

• Areas that managers perform periodic reviews to ensure that work assignments are performed consistently, and accurately.

• Work activities are being phased out.

• Areas with established and validated performance measures.

Scoring Criteria Guidelines:

Level Level Description High: If an activity has two or more high risk rating factors, review annually. Medium: If an activity has two or more medium risk factors, review biannually. Low: Low activities can be reviewed within a five (5)-year timeframe or at manager’s

discretion that should be balanced with costs and resources.

End Section 20.1.1 – Risk Analysis Chart: Back to Table of Contents 20.2 - Internal Control Objectives (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) Internal control objectives are established to identify risk and vulnerabilities. Control objectives may be set for an entity as a whole, or be targeted to specific activities within the entity. Generally, objectives fall into three categories:

1. Operations - relating to effective and efficient use of the organization's resources. 2. Financial Reporting - relating to preparation of reliable financial statements. 3. Compliance - relating to the organization's compliance with applicable laws and regulations.

An acceptable internal control system can be expected to provide reasonable assurance of achieving objectives relating to the reliability of operations, financial reporting and compliance. Achievement of those objectives depends on how activities within the organization's control are performed. Section 50 lists the minimum set of control objectives. The contractor may add to the CMS control objective list. For the respective operational areas selected for review in Step 2 of the Risk Assessment discussion, cross-reference the high risk operational areas to CMS' or the contractor’s unique control objectives on a work sheet. Some control objectives will apply to more than one operational area selected for review. The control objectives identified in this step shall be validated by documentation of the control activities (see Section 10.2.3.3) used as well as testing (see Section 20.4) that supports the control objectives. Reminder: Excessive control is costly and counterproductive. Too little control presents undue risk. There should be a conscious effort made to achieve an appropriate balance. End Section 20.2 – Internal Control Objectives: Back to Table of Contents 20.2.1 – CMS Contractor Control Objectives (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) CMS issues broad control objectives for which contractors shall develop control activities to ensure the objectives are met. The complete list of control objectives are in Section 50. If your risk assessment was completed prior to issuance of the current year CMS control objectives, ensure that any new or revised control objectives are assessed and the risk matrix is updated. In addition, control activities should be created or updated to support any new or revised control objectives as appropriate (see Section 10.2.3.3). Contractors shall also include in their risk assessment any significant or material areas not covered by a CMS control objective. End Section 20.2.1 – CMS Contractor Control Objectives: Back to Table of Contents 20.3 – Policies and Procedures (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) Policies and procedures are a set of established guidelines or rules for conducting the affairs of a business. Good policies:

• Are written in clear, concise, and simple language. They are updated as necessary, signed and dated. • Address what the guideline or rule is; not how to implement the guideline or rule.

• Are readily available and properly communicated to staff.

Procedures are a set of steps in a plan intended to influence and determine decisions and actions. Good procedures are tied to policies and:

• Are written in clear, concise, and simple language. • Are tied to the policy. • Are developed and implemented with the user in mind. • Are readily available and properly communicated to staff.

Contractors shall have written policies and procedures to achieve their control objectives. These policies and procedures shall be updated in a timely manner to reflect changes in CMS instructions or your internal operations. Contractors shall demonstrate and document that its policies and procedures are actually being used as designed and are effectively and efficiently meeting the control objective, as described in Section 50. Evaluation and testing of the effectiveness of controls are important in determining if the major areas of risk have been properly mitigated. An example of a policy is, “an agency shall establish physical control to secure and safeguard vulnerable assets”. The specific control activities, or procedures, which support this policy may include: all doors to the facility have locks, the locks only have one key, all keys are held by security guards, security guards are stationed at every door. End Section 20.3 – Policies and Procedures: Back to Table of Contents 20.4 - Testing Methods (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) Testing the policies and procedures involves ensuring that the documented policies and procedures are actually being used as designed and are effective to meet a control objective. Evaluating and testing the effectiveness of policies and procedures is important to determine if the major areas of risks have been properly mitigated and provide reasonable assurance that the control objective is met. Testing and evaluating the policies and procedures consists of five (5) steps: Step 1: Select the policies or procedures to be tested It is both impractical and unnecessary to test all policies and procedures. The policies and procedures to be tested are those that primarily contribute to the achievement of the control objectives. A policy or procedure may be eliminated from testing when it does not meet the control objective to be tested due to being poorly designed, unnecessary or duplicative, or not performed in a timely manner. However, if this justification is invoked, other policies and procedures should be tested to validate meeting the control objective. Another justification for testing elimination is due to the cost of testing the policy or procedure exceeds the value of the control objective to be tested. If a policy or procedure is eliminated from testing, the reasoning should be documented. Step 2: Select test methods Once the policies and procedures to be tested are determined, test methods shall be determined. A combination of tests can be used depending on risk or type of activity. The following would be considered acceptable tests:

1. Inquiry: Asking responsible personnel if certain controls are functioning as intended (e.g., “Do you

reconcile your activity or do you review a certain report each month?”). 2. Inspection: Analyzing evidence of a given control procedure (e.g., searching for signatures of a

reviewing official or reviewing past reconciliations). 3. Observation: Observing actual controls in operation (e.g., observing a physical inventory or watching

a reconciliation occur). 4. Re-performance: Conducting a given control procedure more than once (e.g., recalculating an

estimate or re-performing a reconciliation). Observation and inquiry are less persuasive forms of evidence than inspection and re-performance. Step 3: Determine how much testing is needed The next sub-step is to determine the extent of the testing efforts. In most cases, it is unrealistic to observe each policy and procedure or to review 100 percent of all records. Instead, policies and procedures are tested by observing a selected number of controls performed or by reviewing a portion of the existing records. This selection process is called sampling. A representative sample provides confidence that the findings are not by chance by taking into account the factors of breadth and size.

1. Breadth: Breadth of the sample assures that the testing covers all bases and is a representative cross section of the universe being tested. This will provide confidence that the sample will lead to a conclusion about the situation as a whole.

2. Size: Size is the number of items sampled. The size should be large enough to allow a conclusion

that the findings have not happened by chance and provide confidence in the conclusion. The size of the sample should not be so large that testing becomes too costly. When selecting the size of the sample consider:

a. Experience: Reducing the size of the sample when controls have operated satisfactorily in the

past and no major changes have occurred. b. Margin of Error: Increase the size of the sample when only a small margin of error is acceptable. c. Importance: Increase the size of the sample when an important resource is at stake. d. Type: Increase the size of the sample when the control to be tested requires judgment calls.

Decrease the size of the sample when the control is routine. Step 4: Plan data collection The sampling plan gives an idea of the "who, where, what, when, why, and how" (see Section 20.1) aspect of the tests to be conducted. A data collection plan can be used to determine how the test results will be recorded. The accurate recording of test results is an extremely important part of the test documentation. Planning data collection prior to beginning the testing can be very helpful to ensure the information collected will provide conclusive data from which to evaluate the controls. Step 5: Conduct the tests The final step of testing and evaluating controls consists of actually effectuating the testing protocol and documenting the results.

At the conclusion of the testing, the results are analyzed and evaluated. Evaluating involves reviewing the information collected and making an overall judgment on the adequacy of the internal control system as a whole. Deficient areas are to be categorized into Control Deficiencies, Significant Deficiencies, and Material Weaknesses and should be considered for inclusion in the CPIC submission (see Section 30.6). End Section 20.4 – Testing Methods: Back to Table of Contents 20.5 - Documentation and Working Papers (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) The contractor shall document through its working papers, the process it employed to support its internal control certification. This documentation shall include working papers so that a CMS reviewer can conclude that the Risk Assessment process as described in Section 20.1 follows or exceeds these guidelines, and that the Control Activities (Section 10.2.3.3) identified to support the high risk control objectives selected for review are current and clearly stated. Finally, the CPIC documentation shall demonstrate how the Testing Methods employed comply with the general parameters as described in Section 20.4 for the purpose of Control Activity validation. Working papers contain evidence accumulated throughout the review to support the work performed, the results of the review, including findings made, the judgment and/or conclusion of the reviewers. They are the records kept by the reviewer of the procedures applied, the tests performed, the information obtained, and the pertinent judgment and/or conclusions reached in the review process. Examples of working papers are review programs, analyses, memoranda, letters of confirmation and representation, abstracts of documents, and schedules or commentaries prepared or obtained by the reviewer. Working papers may be in the form of data stored on tapes, film, or other media. General Content of Working Papers - Working papers should ordinarily include documentation showing that:

• The work has been adequately planned and supervised. • The review evidence obtained, the reviewing procedures applied, and the testing performed has

provided sufficient, competent evidential matter to support the reviewer's judgments and/or conclusions.

Format of Working Papers - Working paper requirements should ensure that the working papers follow certain standards. As a whole, a good set of working papers should contain the following:

• The objectives, scope, methodology, and the results of the review. • Proper support for findings, judgments and/or conclusions, and to document the nature and scope of

the work conducted. • Sufficient information so that supplementary oral explanations are not required. • Adequate indexing and cross-referencing, and summaries and lead schedules, as appropriate. • Date and signature by the preparer and reviewer. • Evidence of supervisory review of the work.

• Proper heading should be given to the basic content of the working papers.

End Sections 20.5 – Documentation and Working Papers and 20 – CMS Contractor Internal Control Review Process and Timeline: Back to Table of Contents

30 - Internal Control Reporting Requirements (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) Several reporting methods are required for internal controls. Medicare Contractors shall use the following CPIC and SSAE 18 guidance to successfully meet them. Back to Table of Contents 30.1 – Certification Package for Internal Controls (CPIC) Requirements (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) NOTE: This section is only applicable to the following listed CMS Contractors: # Contractor Workload 1 DME MAC Jurisdiction A 2 DME MAC Jurisdiction B 3 DME MAC Jurisdiction C 4 DME MAC Jurisdiction D 5 Parts A & B MAC Jurisdiction 5 6 Parts A & B MAC Jurisdiction 6 7 Parts A & B MAC Jurisdiction 8 8 Parts A & B MAC Jurisdiction 15 9 Parts A & B MAC Jurisdiction E 10 Parts A & B MAC Jurisdiction F 11 Parts A & B MAC Jurisdiction H 12 Parts A & B MAC Jurisdiction J 13 Parts A & B MAC Jurisdiction K 14 Parts A & B MAC Jurisdiction L 15 Parts A & B MAC Jurisdiction M 16 Parts A & B MAC Jurisdiction N 17 Specialty MAC Railroad Board (RRB) 18 Pricing, Data Analysis, and Coding (PDAC) Contractor 19 Affordable Care Act Exchange Contractor 20 Benefits Coordination and Recovery Center (BCRC),

Medicare Secondary Payer Recovery Contractor (MSPRC) 21 Commercial Repayment Center (CRC), MSPRC 22 Retiree Drug Subsidy (RDS) Part D Contractor

The contractor certification process provides CMS with assurance that contractors are in compliance with the FMFIA, OMB Circular A-123, and CFO Act of 1990 by incorporating internal control standards into their operations. The contractor certification process supports the audit of CMS' financial statements by the Office of Inspector General (OIG) and the CMS Administrator's FMFIA assurance statement. This compliance is achieved by an annual certification statement included in its annual CPIC submission. CMS has required each contractor to certify that internal controls are in place to identify and correct areas of weakness in its operations. Contractors are expected to evaluate the effectiveness of their operations against CMS' control objectives discussed above. The control objectives represent the minimum expectations for contractor performance in the area of internal controls. Contractors shall have written policies and procedures regarding their annual CPIC preparation and submission process. Contractors shall also have written policies and procedures to address potential internal control deficiencies identified by employees and managers in the course of their daily operations. This includes the process for reporting issues upward through the appropriate levels of management, tracking and correcting deficiencies, and inclusion in the CPIC submission.

The CPIC represents a summary of your internal control environment for the period October 1st through June 30th (the CPIC period), as certified by your organization. It shall include an explicit conclusion as to whether the internal controls over financial reporting are effective (see Section 30.1.1). All material weaknesses identified during this period shall be included in the CPIC submission. Contractors should consider the results of internal and external audits and reviews, such as GAO, OIG, and CFO Act audits, consultant reviews, management control reviews, CPE reviews, SSAE 18 audits, A-123 Appendix A reviews, and other similar activities. These findings should be classified as control deficiencies, significant deficiencies, or material weaknesses based upon the definitions provided in Section 30.6. The contractor shall submit one CPIC report for each type of contract (i.e., A/B, DME, & Specialty MAC workloads, Retiree Drug Subsidy (RDS), and Medicare Secondary Payer Recovery Contractor (MSPRC) workloads). The contractor shall follow these guidelines when submitting the CPIC for A/B, DME, & Specialty MACs:

• Contractors with multiple A/B and DME MAC jurisdictions may submit a CPIC for each jurisdiction or may submit a combined CPIC as long as certification, test results, risk assessments, etc. are presented/distinguished for each jurisdiction.

• The Specialty MAC RRB shall submit a CPIC.

• Contractors that transitioned out of the program prior to June 30th, and are not assuming additional

workloads are not required to submit a CPIC. Electronic CPIC reports shall be received by CMS within fifteen (15) business days after June 30th. The contractor is not required to submit a hard copy report if it has the capability to insert electronic signatures or if the CPIC is sent from the VP of Operations’ email or the CFO’s email. An electronic version of all documents (including updates) submitted as part of your CPIC submission shall be sent to CMS’ Office of Financial Management (OFM) at internalcontrols@cms.hhs.gov as Microsoft Excel or Word files. Electronic copies shall also be sent as follows:

• A/B, DME, and Specialty MACs shall send to the: o Director of the Office of Program Operations & Local Engagement (OPOLE) o IFM CFO Coordinator o Contracting Officer’s Representative (COR) of the A/B, DME, or Specialty MAC.

• RDS and MSPRC Contractors shall send to the CMS COR. A hard copy is not required to be submitted. The CPIC Report Package shall include:

• Certification Statement, see Section 30.2; • Executive Summary, see Section 30.3; • Description of your Risk Assessment Process, see Section 20.1. This should include a:

o Matrix to illustrate the prioritization of risk and exposure factors o Narrative or flowchart that outlines the risk assessment process

• CPIC Report of Material Weaknesses, see Section 30.4. • CPIC – Report of Internal Control Deficiencies, see Section 30.5.

Contractors shall submit an update for the period July 1st through September 30th to report any subsequently identified material weaknesses. The update shall be no more than a one page summary of any material weaknesses and the proposed corrective action. If no material weaknesses have been identified, the contractor shall submit the following for each jurisdiction or a combined statement for all jurisdictions: “As of September 30th, no material weaknesses (or no additional material weaknesses) have been identified during the period July 1 through September 30th for Fiscal Year 20XX”. The submission of the update

should follow the same guidelines as the initial CPIC. The CPIC update is due within five (5) business days after September 30th. If a material weakness is identified, then a CAP shall be completed in accordance to the guidelines shown at Section 40.1. The file names for all electronic files submitted, as part of your CPIC package should begin with the three, four, or five letter abbreviation assigned to each contractor in Section 40.3. Additionally, in the subject line of your email submission, you shall include the corporate name of the entity submitting the CPIC. Maintain the appropriate and necessary documents to support any assertions and conclusions made during the self-assessment process. In your working papers, you are required to document the respective policies and procedures for each control objective reviewed. These policies and procedures should be in writing, be updated to reflect any changes in operations, and be operating effectively and efficiently within your organization. The supporting documentation and rationale for your certification statement, whether prepared internally or by an external organization, shall be available for review and copying by CMS and its authorized representatives. End Section 30.1 – Certification Package for Internal Controls (CPIC) Requirements: Back to Table of Contents 30.1.1 - OMB Circular A-123, Appendix A: Internal Controls Over Financial Reporting (ICOFR) (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) CMS contractors, including A/B, DME, and Specialty MACs, MSPRC and RDS, shall use the five steps below to assess the effectiveness of its internal control over financial reporting. Documentation shall occur within each of the basic steps, whether documenting the assessment methodology during the planning phase or documenting key processes and test results during the evaluation and testing steps. 1) Plan and Scope the Evaluation During this phase, the CMS contractor shall leverage existing internal and external audits/reviews performed (Such as SSAE 18 audits, A-123 Appendix A Internal Control Reviews, CPIC, 912 Evaluations, Federal Information Security Management (FISMA), Contractor Performance Evaluations (CPE), etc.) when conducting its assessment of internal control over financial reporting. Management shall consider the results of these audits/reviews in order to identify gaps between current control activities and the documentation of them. The control objectives of A, B, F, G, I, J, K, and L shall be considered, if applicable. If a CMS contractor had an SSAE 18 audit, or an A-123 Appendix A Internal Control Review in the current or past two fiscal years, it shall be used as a basis for the statement of assurance combined with other audits and reviews as appropriate. The contractor shall conduct additional testing for Circular A-123 as deemed necessary (see A-123 Appendix A Internal Control Review/SSAE 18 Reliance Examples chart). For example, if the A-123 Appendix A assurance statement was unqualified, then the contractor is not required to conduct additional testing. Similarly, if the SSAE 18 audit report was unqualified (no findings in Section I (Opinion Letter)), then the contractor is not required to conduct additional testing. However, if the previous year’s A-123 Appendix A assurance statement is qualified, then the contractor shall conduct additional testing on the control deficiencies identified. Similarly if Section I of the prior year’s SSAE 18 audit report is qualified (one or more findings that have not been corrected and validated), then the contractor shall conduct additional testing on the findings identified in Section I and the exceptions identified in Section III (See A-123 Appendix A Internal Control Review Reliance Examples chart). If other audits and reviews contradict the SSAE 18 audit or A-123 Appendix A Internal Control Review, then that contradiction shall be addressed via testing if the issue has not already been corrected and validated.

2) Document Controls and Evaluate Design of Controls This step begins with the documentation and evaluation of entity-level controls. Consideration must be given to the five standards of internal control (control environment, risk assessment, control activities, information and communication, and monitoring) (see Section 10.2.3 – Standards for Internal Control) that can have a pervasive effect on the risk of error or fraud, and will aid in determining the nature and extent of internal control testing that may be required at the transaction or process level. The GAO issued an internal control evaluation tool (The GAO Internal Control Management and Evaluation Tool) to assess the effectiveness of internal control and identify important aspects of control in need of improvement. This tool shall be used in conducting your assessment. Contractors shall prepare cycle memos for financial reporting, accounts receivable, accounts payable, and claims expense (Note: Contractors may combine related cycles (e.g., accounts payable and claims expense). These major transaction cycles relate to significant line items on the financial reports. Cycle memos should identify the key control activities that are relied upon to assure the relevant financial statement assertions are met:

• Existence and Occurrence: All reported transactions actually occurred during the reporting period and all assets and liabilities exist as of the reporting date. Recorded transactions represent economic events that actually occurred during a stated period of time.

• Rights and Obligations: The entity legally owns all its assets collectively and all

liabilities are legal obligations of the entity. Assets and liabilities reported on the Balance Sheet are bona fide rights and obligations of the entity as of that point in time.

• Completeness: All assets, liabilities, and transactions that should be reported have

been included, and no unauthorized transactions or balances are included. All transactions during a specific period should have been recorded in that period. No unrecorded assets, liabilities, transactions or omitted disclosures.

• Valuation or Allocation: Assets, liabilities, revenue, and expenses have been

included in the financial statements at appropriate amounts. Where applicable, all costs have been properly allocated. Assets and liabilities are recorded at appropriate amounts in accordance with relevant accounting principles and policies.

• Presentation and Disclosure: The financial report is presented in the proper form

and any required disclosures are present. Financial statement items are properly described, classified and fairly presented.

Not all assertions will be significant to all accounts. A single key control will often not cover all assertions; which may necessitate several key controls to support the selected assertions for each line item. However, each assertion is applicable to every major transaction cycle and all associated assertions must be covered to avoid any control gaps. Documenting transaction flows accurately is one of the most important steps in the assessment process, as it provides a foundation for the A-123 assessment. Thorough, well-written documents and flowcharts can facilitate the review of key controls. The documentation should reflect an understanding, from beginning to end, of the underlying processes and document flows involved in each major transaction cycle. This would include the procedures for initiating, authorizing, recording, processing, and reporting accounts and transactions that affect the financial reports. The cycle memo shall include Information Technology (IT) key control activities pertinent to the transaction cycle.

The documentation should start with the collection and review of documentation that already exists. The following are examples of existing documentation that could be used:

• Existing policy and procedure manuals; • Existing forms and documents; • Documentation from independent auditors and the OIG; • Risk assessments; • Accounting manuals; • Memoranda; • Flowcharts; • Job descriptions; • Decision tables; • Procedural write-ups; and/or • Self-assessment reports.

Interviews should be conducted with personnel who have knowledge of the relevant operations to validate that manuals, policies, forms, and documents are accurate and being applied. A major transaction cycle narrative is a written summary of the transaction process. For each major transaction cycle, the narrative describes:

• The initiation point; • The processing type (e.g., automated versus manual, preventative versus detective); • The completion point; • Other data characteristics, such as source; receipt; processing; and transmission; • Key activities/class of transactions within the process; • Controls in place to mitigate the risk of financial statement errors; • Supervisor/manager review; process and calculations performed in preparation of

financial reporting; and process outputs; • Use of computer application controls and controls over spreadsheets used in the

preparation of financial reporting; • Identification of errors; types of errors found; reporting errors; and resolving errors;

and • Ability of personnel to override the process or controls.

Within the cycle memo, the key controls should be clearly identified by highlighting, bolding, or underlining. Contractors are responsible for reviewing and updating cycle memos to keep them current. Control activities are the specific policies, procedures, and activities that are established to manage or mitigate risks. Key controls are those controls designed to meet the control objectives and support management’s financial statement assertions. In other words, they are the controls that management relies upon to prevent and detect material errors and misstatements. For each key control activity, state: (a) the frequency of performance; (b) the specific steps performed; (c) how exceptions are resolved; and (d) how the performance of the control activity and related results/disposition are documented. Examples of control activities that may be identified include:

• Top-level reviews of actual performance; o Compare major achievements to plans, goals, and objectives

• Reviews by management at the functional or actual level; o Compare actual performance to planned or expected results

• Management of human capital; o Match skills to organizational goals o Manage staff to ensure internal control objectives are achieved

• Controls over information processing; o Edit checks of data o Control totals on data files o Access controls o Review of audit logs o Change controls o Disaster recovery

• Physical controls over vulnerable assets; o Access controls to equipment or other assets o Periodic inventory of assets and reconciliation to control records

• Establishment and review of performance measures and indicators; o Relationship monitoring of data

• Segregation of duties; • Proper execution of transactions and events

o Communicating names of authorizing officials o Proper signatures and authorizations

• Accurate and timely recording of transactions and events o Interfaces to record transactions o Regular review of financial reports

• Access restrictions to and accountability for resources and records; and o Periodic reviews of resources and job functions

• Appropriate documentation of transactions and internal control. o Clear documentation o Readily available for examination o Documentation should be included in management directives, policies, or operating manuals

To document management’s understanding of major transaction cycles, management should use a combination of the following:

• Narratives; • Flowcharts; and • Control matrices.

To illustrate this process, we have provided cycle memo guidelines in Section 60. Updated cycle memos shall be submitted to the CMS Internal Controls mailbox within fifteen business days after December 31. Note: The cycle memos must be 508 compliant when released to the Internal Controls mailbox. For information on 508 compliance, please visit the website at the following hyperlink: Hyperlink: The US Department of Health and Human Services (HHS) Section 508 Compliance Information In addition, the A/B, DME, and Specialty MAC contractors shall provide updated cycle memos to the SSAE 18 auditors. 3) Test Operating Effectiveness Testing of the operation of key controls shall be performed and documented (refer to “Plan and Scope the Evaluation” (above) as well as the chart below with regard to testing applicability), to determine whether the control is operating effectively, partially effectively, or not effectively. Testing shall address both manual and automated controls. Ideally, testing should be performed throughout the year. The results of testing completed prior to June 30th will form the basis of the June 30th assurance statement. As testing continues into the fourth quarter, the results of that testing, along with any items corrected since the June 30th assurance statement will be considered in the September 30th assurance statement update. The chart below is provided to assist contractors in determining when to conduct testing.

A-123 Appendix A Internal Control Review/SSAE 18 Reliance Examples

Scenario Prior Fiscal Year 2 Prior Fiscal Year 1 Current Fiscal Year Additional Testing Required or Not Required*

1 No SSAE 18/A-123 Appendix A Review

No SSAE 18/A-123 Appendix A Review Unqualified Not Required

2 No SSAE 18/A-123 Appendix A Review

Unqualified No SSAE 18/A-123 Appendix A Review

Not Required

3 Unqualified No SSAE 18/A-123 Appendix A Review No SSAE 18/A-123 Appendix A Review

Not Required

4 Qualified Unqualified No SSAE 18/A-123 Appendix A Review

Not Required

5 No SSAE 18/A-123 Appendix A Review

No SSAE 18/A-123 Appendix A Review Qualified Required

6 No SSAE 18/A-123 Appendix A Review

Qualified No SSAE 18/A-123 Appendix A Review and the Findings are Corrected and Validated by CMS (CAP Closure Letter Received)

Not Required

7 Unqualified Qualified No SSAE 18/A-123 Appendix A Review and the Findings are Corrected and Validated by CMS (CAP Closure Letter Received)

Not Required

8 Qualified No SSAE 18/A-123 Appendix A Review and the Findings are Corrected and Validated by CMS (CAP Closure Letter Received)

No SSAE 18/A-123 Appendix A Review

Not Required

9 Unqualified Qualified No SSAE 18/A-123 Appendix A Review and the Findings are NOT Corrected or Validated by CMS (No CAP Closure Letter)

Required

Scenario Prior Fiscal Year 2 Prior Fiscal Year 1 Current Fiscal Year Additional Testing Required or Not Required*

10 No SSAE 18/A-123 Appendix A Review

Qualified No SSAE 18/A-123 Appendix A Review and the Findings are NOT Corrected or Validated by CMS (No CAP Closure Letter)

Required

11 Qualified No SSAE 18/A-123 Appendix A Review and the Findings are NOT Corrected or Validated by CMS (No CAP Closure Letter)

No SSAE 18/A-123 Appendix A Review and the Findings are NOT Corrected or Validated by CMS (No CAP Closure Letter)

Required

Unqualified Report SSAE 18: No findings in Section I A-123 Appendix A Internal Control Review: No material weaknesses were noted Qualified Report SSAE 18: 1 or More Findings in Section I A-123 Appendix A Internal Control Review: Material weaknesses were noted, but were not pervasive *Note: Assumes other subsequent audits and reviews do not contradict the SSAE 18/A-123 Appendix A Review or contradictions have been corrected and validated.

4) Identify and Correct Deficiencies If design or operating deficiencies are noted, the potential impact of control gaps or deficiencies on financial reporting shall be discussed with management. The magnitude or significance of the deficiency will determine if it should be categorized as a control deficiency, a significant deficiency, or a material weakness (see Section 30.6). Corrective action plans (CAPs) shall be created and implemented to remediate identified deficiencies (see Section 40). The contractor shall submit corrective action plans for all deficiencies (control deficiencies, significant deficiencies, and material weaknesses) identified as a result of A-123 Appendix A reviews and SSAE 18 Section I findings. 5) Report on Internal Controls / Certification Statement The culmination of the contractor’s assessment will be the assurance statement regarding its internal control over financial reporting. The statement will be one of three types: 1) Unqualified Statement of Assurance Each contractor shall submit, as part of the CPIC report, an assurance statement for internal controls over financial reporting (ICOFR) stating: “… (Contractor) has effective internal controls over financial reporting (ICOFR) in compliance with OMB Circular A-123, Appendix A.” NOTE: The contractor’s statement of assurance should be unqualified if this is consistent with the A-123 Appendix A Internal Control Review statement per the CPA firm report (augmented by internal reviews, if necessary). Similarly, if the SSAE 18 audit (augmented by internal reviews, if necessary) did not result in any Section I findings or the contractor has not classified any findings as material weaknesses, then an unqualified statement of assurance would be applicable. 2) Qualified Statement of Assurance Each contractor shall submit, as part of the CPIC report, an assurance statement for internal controls over financial reporting stating: “…(Contractor) has effective internal controls over financial reporting in compliance with OMB Circular A-123, Appendix A, except for the SSAE 18 Section I finding(s) and/or material weakness(es) identified in the attached Report of Material Weaknesses.” Note: The contractor’s statement of assurance should be qualified if this is consistent with the A-123 Appendix A Internal Control Review statement per the CPA firm report (augmented by internal reviews, if necessary). Similarly, if a SSAE 18 audit disclosed at least one Section I finding and/or internal reviews in the current year disclosed a material weakness, then a qualified statement of assurance (see above) or a statement of no

assurance (see below) would be issued, depending on the pervasiveness of the Section I findings or material weakness. The results of work performed in other control-related activities may also be used to support your assertion as to the effectiveness of internal controls. 3) Statement of No Assurance Each contractor shall submit, as part of the CPIC report, an assurance statement for internal controls over financial reporting stating: “…(Contractor) is unable to provide assurance that its internal control over financial reporting was operating effectively due to the material weakness(es) identified in the attached Report of Material Weaknesses.” or “…(Contractor) did not fully implement the requirements included in OMB Circular A-123, Appendix A and therefore cannot provide assurance that its internal control over financial reporting was operating effectively.” End Section 30.1.1 – OMB Circular A-123, Appendix A: Internal Controls Over Financial Reporting (ICOFR): Back to Table of Contents 30.2 - Certification Statement (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) Contractors shall provide a certification statement to CMS pertaining to your internal controls. On the following page is a generic certification statement. This statement should be included as part of your CPIC. The statement is to be signed jointly by your Medicare CFO and Vice President (VP) for Medicare, RDS or MSPRC or the equivalent Senior Executive responsible for Medicare, RDS or MSPRC. The CPIC is due within fifteen (15) business days after June 30th and shall cover the period from October 1st through June 30th. An updated assurance statement for the period July 1st through September 30th is due to CMS within five (5) business days after September 30th. Your certification statement should follow this outline:

Sample Certification Statement: Chief Financial Officer Office of Financial Management Attn: Accounting Management Group, C3-13-08 Centers for Medicare & Medicaid Services 7500 Security Boulevard Baltimore, MD 21244-1850 Dear Chief Financial Officer: As the (Chief Financial Officer and Vice President of (contractor name), we are writing to provide certification of reasonable assurance for the period October 1 through June 30 that (contractor name) internal controls are in compliance with the Federal Managers' Financial Integrity Act (FMFIA) and Chief Financial Officers (CFO) Act by incorporating internal control standards into our operations. We are also providing an unqualified [or qualified] statement of assurance that (contractor name) has effective internal controls over financial reporting in compliance with revised OMB Circular A-123, Appendix A [except for the SSAE 18 Section I finding(s) and/or material weakness(es) identified in the attached Report of Material Weaknesses]. We are cognizant of the importance of internal controls. We have taken the necessary actions to assure that an evaluation of the system of internal controls and the inherent risks have been conducted and documented in a conscientious and thorough manner. Accordingly, we have included an assessment and testing of the programmatic, administrative, and financial controls for the (type of program) operations. In the enclosures to this letter, we have provided an executive summary that identifies a list of the minimum requirements. (See Section 30.3 - Executive Summary for the list of minimum requirements to be provided in your CPIC.) If material weaknesses have been identified, use the following language: "Material weaknesses have been reported to you and the appropriate Innovation & Financial Management (IFM) office, and/or COR. The respective Corrective Action Plans have been forwarded to your office." If no material weaknesses were identified, use the following language: "No material weaknesses have been identified during our review; therefore no material weaknesses have been reported." We have included a description of our risk assessment analysis and our CPIC Report of Material Weaknesses. This letter and attachments summarize the results of our review. We also understand that officials from the Centers for Medicare & Medicaid Services, Office of Inspector General, Government Accountability Office, or any other appropriate Government agency have authority to request and review the working papers from our evaluation. Sincerely,

______________________________________ [Chief Financial Officer Signature] ______________________________________ [Vice President for (type of program) Signature]

End Section 30.2 – Certification Statement: Back to Table of Contents 30.3 - Executive Summary (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) An executive summary shall be included in your CPIC, and at a minimum provide:

A. The contractor identification numbers;

B. The geographical locations for which the certification applies - include all locations for the contractor line of business;

C. A list of the control objectives selected for internal review;

D. The specific time period during which each of the reviews were conducted;

E. The name and title of the person(s) who conducted the review;

F. The location and custodian of the working papers for the review;

G. The name, telephone number, and email address of a contact person who can explain the risk assessment process, the certification review, the results, and the status of any corrective action plans;

H. The total number of material weaknesses reported in the CPIC Report of Material Weaknesses;

I. The total number of control deficiencies and significant deficiencies reported in the CPIC Report of Internal Control Deficiencies; and

J. A list of all other internal and external reviews conducted during the CPIC reporting period. The list should include the type of review, who conducted the review, dates conducted, functional areas reviewed, and the number of findings in each area. (Do not include the certification reviews already listed in ‘C’ above.)

End Section 30.3 – Executive Summary: Back to Table of Contents

30.4 - CPIC- Report of Material Weaknesses (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) The CPIC Report of Material Weaknesses (MW) shall include all initial MW identified during the CPIC period and not yet corrected and approved by a CAP closing letter. This report shall be updated as new findings are identified. It shall be prepared as a spreadsheet and include the following columns of information:

1. CMS Finding Number. The contractor shall use the CMS finding number assigned in the final audit report for all external findings. Assign a CMS finding number (see Section 40.3) to all internally-identified MWs. This shall be done as soon as the determination is made that the finding is a MW. Note: Information related to each MW should be on only one row of the spreadsheet; the “wrap text” function in Excel should be used.

2. Control Objective Impacted (see Section 50). Each MW shall have at least one

control objective associated with it. However, a MW could have more than one control objective associated with it. If more than one control objective is impacted by the MW, the finding shall be listed only once with multiple control objectives listed with it. Prioritize the control objectives impacted by each finding and limit them to no more than five.

3. Summary of the material weakness. 4. Corrective action plan (CAP). 5. Date the MW was first identified at the contractor level. 6. Date initial CAP submitted to CMS. 7. CAP target completion date. 8. Actual completion date. 9. Original source of the finding. If the original source is a Contractor Performance

Evaluation review, you shall include the report date and site location of the review. If the original source is an internal control review to support your CPIC certification, identify the MW either FMFIA or financial reporting (FR).

Example Report of Material Weaknesses CMS Contractor XYZ

CPIC Report of Material Weaknesses

1. CMS Finding Number

2. Control Objective(s) Impacted

3. Summary of the MW

4.Corrective Action Plan (CAP)

5. Date MW Identified at the contractor level

6. Date Initial CAP Submitted to CMS

7. CA Targe Comp Date

XYZ-XX-S-001 A.1 No Entity Wide Security Plan

Create an entity Wide Security Plan

03/01/20YY 03/10/20YY 6/30/2

XYZ-XX-C-001 J.4 One individual opens Medicare checks and records them in the cash receipts log. This indicates inadequate separation of duties for this process.

Duties of opening mail and logging in cash receipts are being assigned to separate individuals.

02/03/20YY 02/27/20YY 03/15/

XYZ-XX-C-002 J.3 There is no integrated general ledger accounting system to adequately track all Medicare financial data.

The services of a consulting firm have been obtained to develop an integrated general ledger system for reporting Medicare financial data.

02/20/20YY 02/27/20YY 04/30/

Reporting Period FY 20YY End Section 30.4 – Report of Material Weaknesses: Back to Table of Contents 30.5 - CPIC- Report of Internal Control Deficiencies (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) The CPIC Report of Internal Control Deficiencies is an internal report and it shall include control deficiencies, significant deficiencies, and SSAE 18 Section III/IV exceptions. The CPIC report of Internal Control Deficiencies shall be submitted as part of the annual CPIC submission. The CPIC Report of Internal Control Deficiencies should be prepared as a spreadsheet and include the following columns of information:

1. The original source of the finding. 2. The type of control deficiency (control deficiency or significant deficiency). 3. Whether it is a design deficiency or operating deficiency. 4. The control objective numbers impacted (from Section 50). 5. The corrective action plan. 6. A summary of the control deficiency and significant deficiencies including when

the condition was observed and if a corrective action plan was implemented (or the status if not corrected).

Each control deficiency and significant deficiency shall be listed, and the total number of control deficiencies and significant deficiencies shall be included in the report. The contractors are required to prepare and maintain this report and update this report as new control deficiencies are identified. When CPIC control deficiencies are identified, evaluate internal corrective actions for each of the deficiencies and correct each problem. While you are required to document, track, and correct problems identified as control deficiencies, significant deficiencies and material weaknesses, CPIC CAPs are not required to be submitted to CMS for control deficiencies and significant deficiencies. End Section 30.5 – Report of Internal Control Deficiencies: Back to Table of Contents 30.6 - Definitions of Control Deficiency, Significant Deficiency, and Material Weakness (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) The terms below are definitions and reporting classifications for FMFIA and A-123 Internal Controls over Financial Reporting: CONTROL DEFICIENCY:

A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A design deficiency exists when a control necessary to meet the control objective is missing or an existing control is not properly designed, so that even if the control operates as designed the control objective is not always met. An operational deficiency exists when a properly designed control does not operate as designed or when the person performing the control is not qualified or properly skilled to perform the control effectively. Controls that are not properly designed shall be documented as a control deficiency in the control deficiency log. A deficiency in operations of a control exists if a properly designed control is not working as intended.

SIGNIFICANT DEFICIENCY: A deficiency or combination of deficiencies in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.

MATERIAL WEAKNESS: A deficiency or combination of deficiencies in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.

NOTE: The terms Significant Deficiency and Material Weaknesses may also apply to FMFIA operational findings or issues.

End Section 30.6 – Definitions of Control Deficiency, Significant Deficiency, and Material Weakness: Back to Table of Contents 30.7 - Material Weaknesses Identified During the Reporting Period (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) The evaluation of your internal control environment should be an ongoing process throughout the fiscal year. It should not be a once-a-year event, which occurs prior to submission of your annual CPIC. The identification and reporting of material weaknesses should not wait until the end of the CPIC reporting period. During the reporting period, if material weaknesses are identified, send an electronic Initial CAP report within 45 days of identifying the problem, via E-mail, to CAPS@cms.hhs.gov. (See Section 40.4). Within that same time frame A/B, DME, and Specialty MACs are required to provide written notification, to your Associate Regional Administrator for Financial Management and Fee for Service Operations, RO CFO Coordinator, and the COR of the A/B, DME, and Specialty MAC, RDS, and MSPRC shall send to the CMS COR. End Section 30.7 – Material Weaknesses Identified During the Reporting Period: Back to Table of Contents 30.8 –Statement on Standards for Attestation Engagements (SSAE) Number 18, (SSAE 18) Reporting on Controls at Service Providers (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) NOTE: This section is only applicable to the following listed A/B, DME, and Specialty MACs: # MAC Type & Jurisdiction/Workload 1 DME MAC Jurisdiction A 2 DME MAC Jurisdiction B 3 DME MAC Jurisdiction C 4 DME MAC Jurisdiction D 5 Parts A & B MAC Jurisdiction 5 6 Parts A & B MAC Jurisdiction 6 7 Parts A & B MAC Jurisdiction 8 8 Parts A & B MAC Jurisdiction 15 9 Parts A & B MAC Jurisdiction E 10 Parts A & B MAC Jurisdiction F 11 Parts A & B MAC Jurisdiction H 12 Parts A & B MAC Jurisdiction J 13 Parts A & B MAC Jurisdiction K 14 Parts A & B MAC Jurisdiction L 15 Parts A & B MAC Jurisdiction M 16 Parts A & B MAC Jurisdiction N 17 Specialty MAC Railroad Board (RRB)

In lieu of receiving an A-123 Appendix A review, A/B, DME, and Specialty MACs are required to undergo a SSAE 18 SOC 1, Type II audit. CMS shall contract with an independent certified public accounting (CPA) firm to perform the SSAE 18 audit. The A/B, DME, and Specialty MACs shall cooperate with the audit which may include, but is not limited to, providing all documentation requested, CPIC results, management assertions, coordinating interviews with key personnel, participating in entrance and exit conferences, providing workspace, and internet connectivity, etc. The A/B, DME, and SMACs shall ensure that all subcontractors are properly identified as inclusive and/or carved out. Based on the subcontractors’ impact on the MAC’s financial statement, the subcontractor may be in scope (i.e. inclusive method) for the SSAE 18 audit. The scope of the SSAE 18 audit begins October 1st of each federal fiscal year and ends no earlier than March 31st (6 months) (e.g. For Federal Fiscal Year 2020, the scope of the audit begins October 1st, 2019, and ends March 31st, 2020). Initial SSAE 18 Control Objectives: For new A/B, DME, and Specialty MACs, excluding cases where incumbent MACs transition to a new MAC jurisdiction, initial SSAE 18 audit shall include the following thirteen (13) listed CMS Control Objectives as described under Section 50 of this IOM: # CMS Control Objective Areas for Initial SSAE 18 Audit Testing 1 50.1 – A Controls – Information Systems 2 50.2 – B Controls – Claims Processing 3 50.3 – C Controls – Appeals 4 50.4 – D Controls – Beneficiary / Provider Services 5 50.5 – E Controls – Complementary Credits 6 50.6 – F Controls – Medical Review (MR) 7 50.7 – G Controls – Medicare Secondary Payer (MSP) 8 50.8 – H Controls – Administrative 9 50.9 – I Controls – Provider Audit 10 50.10 – J Controls – Financial Reporting Review Requirements 11 50.11 – K Controls – Debt Referral (MSP and Non-MSP) 12 50.12 – L Controls – Non-MSP Debt Collection 13 50.13 – M Controls – Provider Enrollment

Recurring SSAE 18 Control Objectives: In subsequent years, A/B, DME, and Specialty MACs SSAE 18 audits shall include the following eight (8) control objectives: # CMS Control Objective Areas for Recurring SSAE 18 Audit Testing 1 50.1 – A Controls – Information Systems 2 50.2 – B Controls – Claims Processing

# CMS Control Objective Areas for Recurring SSAE 18 Audit Testing 3 50.6 – F Controls – Medical Review (MR) 4 50.7 – G Controls – Medicare Secondary Payer (MSP) 5 50.9 – I Controls – Provider Audit 6 50.10 – J Controls – Financial Reporting Review Requirements 7 50.11 – K Controls – Debt Referral (MSP and Non-MSP) 8 50.12 – L Controls – Non-MSP Debt Collection

The remaining Control Objectives may be audited based on professional judgment and/or based on the risk identified from the annual CPIC assessment. Points of Contact (POC) – The A/B, DME, and Specialty MACs shall assign a POC that will assist to ensure that all required parties are invited to the following scheduled events. Entrance Conference – The A/B, DME, and Specialty MACs shall participate in the SSAE 18 entrance conference. The entrance conference is the start of each engagement to discuss the scope, timeframe, and any other issues relating to the engagement. Status Meetings – The A/B, DME, and Specialty MACs shall participate in the SSAE 18 status meetings. The status meetings will include discussion of the audit activities performed to date. The meeting will including a status of CAPs, potential findings and/or exceptions and any issues that may affect the completion of the work. Preliminary Exit Conference – The A/B, DME, and Specialty MACs shall participate in the SSAE 18 preliminary exit conference. The preliminary exit conference will include a status of the engagement, any outstanding issues, additional documentation requests, potential findings and/or exceptions to date, estimated exit conference date, and other topics to be addressed. Exit Conference Report – Prior to the exit conference, the A/B, DME, and Specialty MACs will receive the SSAE 18 exit conference report from the CPA firm. The exit conference report shall include any outstanding issues, summary of findings and/or exceptions, and any other items that requires the MAC’s attention. The A/B, DME, and Specialty MACs shall review the exit conference report in preparation of the exit conference. Exit Conference – The A/B, DME, and Specialty MAC shall participate in the SSAE 18 exit conference. The exit conference will include items such as the status of the examination, outstanding issues, any findings and/or exceptions, agree disagree letter, management representation letter, estimated draft report issuance date, etc. Draft SSAE-18 and CAP Follow up Reports – The A/B, DME, and Specialty MACs should receive the draft SSAE-18 and CAP Follow up reports no later than June 1st. The A/B, DME, and Specialty MACs shall review the draft reports for accuracy and provide any comments back to the CPA firm and CMS no later than ten (10) business days after June 1st.

Final SSAE-18 and CAP Follow Up Reports – The A/B, DME, and Specialty MACs will receive final SSAE 18 and CAP Follow Up reports no later than July 1st. SSAE 18 Bridge Letters – The A/B, DME, and Specialty MACs shall submit a bridge letter attesting to the internal controls environment for the period of April 1st to September 30th. This bridge letter is critically important to the maintenance and demonstration of a strong internal control environment that supports the CMS internal control objectives: effective and efficient operations, reliable reporting, and compliance with applicable laws and regulations. The bridge letter is due within five (5) business days after September 30th and should be submitted via email to InternalControls@cms.hhs.gov. The bridge letter shall be signed by the Chief Financial Officer (or designee). Separate bridge letters shall be completed for each jurisdiction or where applicable/practical, one combined letter may be submitted for multiple jurisdictions. A/B, DME, and Specialty MACs may use the attached sample language as the basis for their bridge letter or they may submit original language. At a minimum, the bridge letter shall have these key points addressed:

• Name of CPA firm who prepared the latest SSAE 18 report; • Date the SSAE 18 report was issued; • Audit period covered by the most recent SSAE 18 report; • The date the service organization is providing this assertion (through the date of

the bridge letter or the as of date provided in the request for the bridge letter); • Any material changes to the internal control environment (if applicable); • Statement that the service organization is not aware of any material changes to the

control environment; • Statement that user entities are responsible for adhering to complementary user

entity control from SSAE 18 report; • Disclaimer that the bridge letter is not a substitute for the actual SSAE 18 report.

The bridge letter will be reviewed by the CMS A-123 Technical Team (ATT) for compliance. If there are any questions regarding the letter, the ATT will contact the A/B, DME, and Specialty MAC’s POC.

[This letter should go on the A/B, DME, or Specialty MAC’s letter head]

Sample Bridge Letter – No Material Changes: [Current Date] Bridge Letter Centers for Medicare & Medicaid Services Office of Financial Management 7500 Security Boulevard, Mailstop C3-13-08 Baltimore, MD 21244-1850 Attn: Internal Control Team Dear CMS Internal Controls Team: We have received your request for information regarding material changes in internal control related to the [list services here (A/B, DME, or Specialty MAC)]. [CPA firm name] prepared the latest Type II SSAE 18 for these services and the report is dated [report date]. This report includes tests of operating effectiveness for the period ending [period end date]. [Name of A/B, DME, or Specialty MAC] recognizes the need to maintain an appropriate internal control environment and report upon the effectiveness, as well as material changes to its internal controls. As of [current date], I am not aware of any material changes in our control environment that would adversely affect the Auditor’s Opinion reached in the [report end date (not the same as the report date)] report for the above named SSAE 18. You should also be aware that [A/B, DME, or Specialty MAC name], as a normal part of its operations, continually updates its services and technology as appropriate. In addition, the controls for all of [A/B, DME, or Specialty MAC name] services were designed with certain responsibilities required of the system users (See Complimentary User Entity Control in the SSAE 18 report). [A/B, DME, or Specialty MAC name] controls must always be evaluated in conjunction with an assessment of the strength of these user controls. Finally, in order to conclude upon the design and effectiveness of internal controls for [A/B, DME, or Specialty MAC name], you must read the current SSAE 18 report. This letter is not intended to be a substitute for the SSAE 18 report. Sincerely, [Name of Member of Management1] [Title]

1 Should be a signature from one of the same persons that signed the letter of representations.

Sample Bridge Letter – Material Changes: [Current Date] Bridge Letter Centers for Medicare & Medicaid Services Office of Financial Management 7500 Security Boulevard, Mailstop C3-13-08 Baltimore, MD 21244-1850 Attn: Internal Control Team Dear CMS Internal Controls Team: We have received your request for information regarding material changes in internal control related to the [list services here (A/B, DME, or Specialty MAC)]. [CPA firm name] prepared the latest Type II SSAE 18 for these services and the report is dated [report date]. This report includes tests of operating effectiveness for the period ending [period end date]. [A/B, DME, or Specialty MAC name] recognizes the need to maintain an appropriate internal control environment and report upon the effectiveness, as well as material changes to its internal controls. On [date or approximate date material change happened], [describe the control add/change/removal that was made. Two sentences is sufficient]. As of [current date], I am not aware of any other material changes in our control environment that would adversely affect the Auditor’s Opinion reached in the [report end date (not the same as the report date)] report for the above named SSAE 18. You should also be aware that [A/B, DME, or Specialty MAC name], as a normal part of its operations, continually updates its services and technology as appropriate. In addition, the controls for all of [A/B, DME, or Specialty MAC name] services were designed with certain responsibilities required of the system users (See Complimentary User Entity Control in the SSAE 18 report). [A/B, DME, or Specialty MAC name] controls must always be evaluated in conjunction with an assessment of the strength of these user controls. Finally, in order to conclude upon the design and effectiveness of internal controls for [A/B, DME, or Specialty MAC name], you must read the current SSAE 18 report. This letter is not intended to be a substitute for the SSAE 18 report. Sincerely, [Name of Member of Management2] [Title] End Section 30.8 – Statement on Standards for Attestation Engagements (SSAE) Number 18, (SSAE 18) Reporting on Controls at Service Providers: Back to Table of Contents

2 Should be a signature from one of the same person(s) that signed the letter of representations.

End Section 30.8 – Statement on Standards for Attestation Engagements (SSAE) Number 18, (SSAE 18) Reporting on Controls at Service Providers: Back to Table of Contents 30.9 – List of Complementary User Entity Controls (CUECs) (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) The following listed CUECs are recommended for consideration by control objective: Control Objective

CUEC Description

Back to Table of Contents 30.9.1 – A CUECs – Information Systems (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) A – Control Objective Number

A – CUEC Description

A.1 CMS maintains, updates, and makes available current CMS Acceptable Risk Safeguards (ARS), Business Partners Systems Security Manual (BPSSM), and other applicable policy to provide Medicare Administrative Contractors (MACs) requirements and guidance for the establishment of an entity-wide security program.

A.3 CMS, as the Authorizing Official (AO), reviews and approves the Information System Security Categorization through the Authority to Operate (ATO) process.

A.7 For shared systems, outside of the MAC’s ATO boundary, CMS or its contractors update and / or remove user logical access accounts and system permissions as requested and approved by the MAC for transferred personnel in a timely fashion. In addition, CMS or its contractors remove logical access accounts and system permissions as requested and approved by the MAC for separated personnel in a timely fashion.

A.9 CMS, as the Authorizing Official (AO), authorizes the information system for processing prior to commencing operations and periodically thereafter. In addition, the Information Security and Privacy Group (ISPG) of CMS inputs, in a timely manner, POA&Ms into the CMS FISMA Controls Tracking System (CFACTS).

A – Control Objective Number

A – CUEC Description

A.12

For shared systems, outside of the MAC’s ATO boundary, CMS or its contractors:

• Create MAC and non-MAC user accounts (including remote access accounts, temporary, emergency, and privileged accounts if applicable) as requested and approved by the MAC.

• If emergency and / or temporary accounts are utilized they are automatically removed as required by CMS standards and/or based on request by the MAC.

• CMS or its contractors update information system accounts in a timely fashion based on periodic reviews conducted by the MACs.

A.13 For shared systems, outside of the MAC’s ATO boundary, CMS or its contractors remove logical access accounts and system permissions as requested and approved by the MAC for separated personnel in a timely fashion. Further, CMS or its contractors automatically disable inactive accounts as required by CMS.

A.15 For shared systems, outside of the MAC’s ATO boundary, CMS or its contractors configure password based authentication for major applications / information systems in accordance with current CMS ARS, BPSSM, and other applicable policies.

A.17 For shared systems, outside of the MAC’s ATO boundary, CMS or its contractors produce and distribute security audit logs to the MACs for investigation as needed.

A.18 CMS collaborates with the MAC to analyze, respond, and report security incidents.

A.21 CMS maintains, updates, and makes available the current CMS eXpedited Life Cycle (XLC) and other applicable policy to provide the MACs requirements and guidance for the establishment of change management and SDLC processes.

A.22 For shared systems, outside of the MAC’s ATO boundary, CMS or its contractors are responsible for software development and maintenance processes including authorization of changes, documentation, testing, and approvals in accordance with the current CMS ARS, BPSSM, and other applicable policy.

A – Control Objective Number

A – CUEC Description

A.23 For shared systems, outside of the MAC’s ATO boundary, CMS or its contractors are responsible for properly restricting and controlling the movement of code between libraries.

A.27 For shared systems, outside of the MAC’s ATO boundary, CMS or its contractors have implemented system backup and recovery procedures including contingency plans, disaster recovery plans, testing of plans, and corrective action based on lessons learned in accordance with the current CMS ARS, BPSSM, and other applicable policy.

End Section 30.9.1 – A CUECs – Information Systems: Back to Table of Contents 30.9.2 – B CUECs – Claims Processing (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) B – Control Objective Number

B – CUEC Description

B.4 Updates to the Sanction/Reinstatement file are provided to the Contractors on a monthly basis.

B.4 CMS sends Denial of Payment for New Admissions (DPNA) letters indicating a facility is not in compliance.

B.5 CMS provides guidance on the claims appeal process and provides accurate and timely notification of appeal status.

B.4, B.5 CMS provides the Office of Inspector General/Supplemental Medical Review Contractor requests to the Contractor.

B.6 CMS issues annual and quarterly change requests timely and accurately for CMS applied software pricing modules and FISS/MCS changes.

B.8 Claims are properly aged from the actual receipts date to the actual date of payment in compliance with CMS instructions. Receipt dates for claims are date stamped and entered into the claims processing system by CMS maintainer organizations. The CMS maintainer organizations are responsible for completely and accurately logging and entering receipt date of claims into the claims processing system.

B – Control Objective Number

B – CUEC Description

B.9 The Shared System Maintainers will provide guidance and controls to track and adjudicate claims, complete base system edits, process Informational Unsolicited Responses (IURs), and analyze/model data from the warehouse to allow detection and prevention of fraud at the MACs.

ALL CMS deploys and manages CMSNET, a private communication network that allows data to be encrypted during the transmission to prevent any unauthorized sources from intercepting data. The Contractors utilize CMSNET to transmit data with the Enterprise Data Centers (EDCs) and other business partners that utilize CMSNET.

ALL CMS accurately and timely communicates mandated regulatory requirement changes and internal policy changes.

ALL CMS ensures CWF and the Beneficiary Data Streamlining (BDS) have accurate and timely data.

End Section 30.9.2 – B CUECs – Claims Processing: Back to Table of Contents 30.9.3 – F CUECs – Medical Review (MR) (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) F – Control Objective Number

F – CUEC Description

F.1 CMS provides proper access to the CERT Claim Status website for retrieval and reporting of CERT feedback data.

F.2 CMS reviews and approves the workloads and costs submitted by the contractor.

F.1, F.2 CMS reviews and approves the Strategy Analysis Report (SAR) through its CMS ART System and analyses projected workload, cost, variances to projections and assigns a unique control number/system location code for suspended claims.

F.1, F.3 CMS provides accurate Comprehensive Error Rate Testing (CERT) feedback data that is utilized by the contractor in the development of the IPRS, prioritized problem list and continuous data analysis.

F – Control Objective Number

F – CUEC Description

F.2, F.3 CMS accepts the Monthly Status Reports (MSRs) through its CMS ART System.

F.3, F.12 CMS provides Recovery Audit Contractor (RAC) vulnerability reports and findings that are utilized by the contractor in the IPRS, prioritized problem list and continuous data analysis.

F.1, F.2, F.3 and F.10

CMS reviews and approves the Improper Payment Reduction Strategy (IPRS) through its CMS ART System prior to the beginning of each contract year.

F.4 CMS provides the mechanism for posting Local Coverage Determinations and Articles that are developed by the Contractor Medical Directors (CMD) and policy staff.

ALL CMS regularly communicates and makes available Change Requests (CRs), Technical Direction Letters (TDLs) and Medicare rules and regulations to the contractor.

ALL Access to the all CMS systems are restricted by user identifier (ID) and password. Inactive ID’s are suspended after 30 calendar days and deleted after 90 calendar days. Controls are in place to suspend an account after three unsuccessful login attempts

End Section 30.9.3 – F CUECs – Medical Review (MR): Back to Table of Contents 30.9.4 – G CUECs – Medicare Secondary Payer (MSP) (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) G – Control Objective Number

G – CUEC Description

G.1 The Fiscal Intermediary Standard System (FISS), a Part A CMS system, automatically creates “I” records as needed. This control objective does not pertain to BCRC or the CRC contractors.

G.1 MSP edits (including 6800) codes are automatically processed by CWF and reported to the contractors for claim review through audit and error codes in the applicable shared system in order to assist examiners in the processing of claims. The applicable systems are configured with automated help messages to aid claims processing and edit resolution.

G – Control Objective Number

G – CUEC Description

G.1 The applicable systems are configured to process claims. The MSPPAY module calculates the amount Medicare should pay as secondary payer. These MSP amounts are automatically updated in the applicable shared systems and the final MSP payment amount is sent to CWF.

G.2 HIGLAS and CAFM records overpayments as adjustments are posted, sets up accounts receivable, and tracks interest assessment on debt.

G.3, G.4 The CMS provides software, the Common Working File (CWF) for editing, and the Electronic Correspondence Referral System (ECRS) to address assistance requests and MSP inquiries.

G.5 CMS accurately and timely communicates mandated regulatory requirement changes and internal policy changes.

ALL Access to the all CMS systems are restricted by user identifier (ID) and password. Inactive ID’s are suspended after 30 calendar days and deleted after 90 calendar days. Controls are in place to suspend an account after three unsuccessful login attempts.

End Section 30.9.4 – G CUECs – Medicare Secondary Payer (MSP): Back to Table of Contents 30.9.5 – I CUECs – Provider Audit (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) I – Control Objective Number

I – CUEC Description

I.1 CMS ensures that applicable CMS systems are appropriately updated.

I.2 CMS provides information to the contractor regarding new providers, change of ownership for an existing provider, termination of a provider, or a change of Medicare Administrative Contractor (MAC) to ensure the information is processed in System Tracking for Audit and Reimbursement (STAR) in a timely and accurate manner and reflected in subsequent audit activities.

I – Control Objective Number

I – CUEC Description

1.3 CMS provides general instructions to ensure that Provider Cost Reports are properly submitted and accepted. Appropriate program policies and instructions are provided to address situations where the provider did not file a cost report.

I.4 CMS provides Uniform Desk Review thresholds for determination of limited and full reviews.

I.5 CMS provides general instructions to ensure that Provider Cost Reports are issued a Notice of Program Reimbursement timely.

I.6 CMS provides general instructions to ensure audit systems (STAR) are updated in compliance with program instructions.

I.7 CMS regulations and program policy are provided to ensure that the contractor’s cost report re-opening process is in compliance.

I.8 CMS regulations, program policy, and Provider Reimbursement Review Board (PRRB) rules are provided to ensure that the contractor’s appeals process is in compliance.

I.9 Control number I.9 reserved. Control not in use as of IOM revision number 278.

I.10 CMS provides general instructions for audit work that allows for an internal quality control process to be established.

I.11 CMS provides guidelines and instructions to ensure that cost reports are scoped and selected for audit or settled without audit and that audit plans are approved by CMS and in compliance.

I.12 CMS provides manual instructions and timelines to ensure that the contractor’s audit process is conducted in compliance, i.e., timeframes for issuance of the engagement letter, documentation requests, pre-exit and exit conferences, and settlement of the audited cost report.

I.13 CMS provides instructions for audit programs, desk review programs and CMS audit and reimbursement policies, and other audit related instructions so that they can be communicated to audit staff.

I.14 CMS provides instructions to ensure the contractor’s audit staff maintains its necessary knowledge and skills by completing continuing education and training (CET).

I – Control Objective Number

I – CUEC Description

I.15 Supervisory reviews of the audit and settlement process are conducted and the policies and procedures for these reviews are communicated to all supervisors in accordance with CMS program instructions.

I.16 All cost reports where fraud and abuse is suspected shall be referred to the Unified Program Integrity Contractor (UPIC) in accordance with CMS and contractor instructions.

I.17 The contractor has processes and procedures in place to document that supervisory reviews by provider audit department management were completed on all provider audit Corrective Action Plans (CAPs) from the establishment of the CAPs to the implementation and validation of the CAPs.

I.18 HITECH incentive payments for Medicare subsection (d) and critical access hospitals are calculated properly, in accordance with CMS’ regulations, policies, and instructions. Data is properly entered into the FISS screens in order for the HITECH system to generate the incentive payments.

I.19 CMS provides instructions and guidelines to ensure that cap determination letters are issued accurately and timely to Hospices and include all related documentation.

I.1, I.2, I.3, and I.6

CMS provides a database, System Tracking for Audit and Reimbursement, so that information is accurate and timely. CMS maintains and updates program instructions to ensure that inputs into the STAR system are in compliance.

End Section 30.9.5 – I CUECs – Provider Audit: Back to Table of Contents 30.9.6 – J CUECs – Financial (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) Back to Table of Contents 30.9.6.1 – J CUECs – Financial (Non-HIGLAS) (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21)

J – Control Objective Number

J – CUEC Description

J.2, J.6 CMS Innovation & Financial Management (IFM) Group (Formerly called Regional Office) reviews and approves Extended Repayment Schedules (ERSs) that exceed 36 months.

J.2, J.6 CMS reviews and approves write-offs and status reclassifications of receivables.

J.9 Incoming checks are controlled, sorted, and prepared for scanning and deposit by CMS.

J.9 Treasury Collection Notifications are received from the Program Support Center (PSC)/US Treasury Department, reconciled and sent to the Contractors.

End Section 30.9.6.1 – J CUECs – Financial (Non-HIGLAS): Back to Table of Contents 30.9.6.2 – J CUECs – Financial (HIGLAS) (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) J – Control Objective Number

J – CUEC Description

J.1, J.7 Contractors on HIGLAS/CAFM rely on controls at CMS to obtain reasonable assurance that HIGLAS systematically records all activity resulting in the Treasury Report on Receivables (TROR), Balance Sheets, Income Statements and cash (letter of credit) transactions.

J.3, J.6 Contractors on HIGLAS/CAFM rely on controls at CMS to provide reasonable assurance that CMS has communicated standard language for demand letters to the system maintainer and in HIGLAS.

J.4 Contractors on HIGLAS/CAFM rely on CMS to approve employee access to HIGLAS for specific job functions.

J.6 Contractors on HIGLAS/CAFM rely on CMS to ensure that HIGLAS calculates the aged accounts receivable completely and accurately.

J.5, J.6 Contractors on HIGLAS/CAFM rely on CMS to provide oversight on the HIGLAS support contractor and system maintainer to maintain controls to properly record the accounting activity.

ALL CMS accurately and timely communicates mandated regulatory requirement changes and internal policy changes.

End Section 30.9.6.2 – J CUECs – Financial (HIGLAS): Back to Table of Contents 30.9.7 – K CUECs – Debt Referral (MSP and Non-MSP) (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) Back to Table of Contents 30.9.7.1 – K CUECs – Debt Referral (MSP and Non-MSP) (Non-HIGLAS) (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21)

K – Control Objective Number

K – CUEC Description

K.1 CMS maintains and updates policies and procedures that are available for review by contractors to reflect changes in the debt referral instructions and to assist in monitoring debts eligible for referral to Treasury for cross servicing and the Treasury Offset Program prior to the debt becoming 120 days delinquent.

K.1 CMS reviews and approves the Currently Not Collectible and Write-Off Reports.

K.1, K.5 and K.6

CMS monitors Collections/Refund Spreadsheets that are available for retrieval from HIGLAS by contractors when collections/refunds on debts are received from Treasury. Internal systems are systematically updated with refund/adjustment information as appropriate.

K.8 CMS reviews the CMSDM-RTA reports to make sure that the contractors have made the necessary updates and status changes.

End Section 30.9.7.1 – K CUECs – Debt Referral (MSP and Non-MSP) (Non-HIGLAS): Back to Table of Contents 30.9.7.2 – K CUECs – Debt Referral (MSP and Non-MSP) (HIGLAS) (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) K – Control Objective Number

K – CUEC Description

K.2 The initial demand letter is either manually created or systematically created in HIGLAS. The content of the initial demand letters and Intent to Refer (ITR) letters are consistent with CMS instructions.

K.6 HIGLAS ages accounts receivable accurately.

K – Control Objective Number

K – CUEC Description

ALL HIGLAS provides eligible debt for referral based on the number of days delinquent and AR status.

ALL HIGLAS tracks debt including interest assessment.

ALL CMS accurately and timely communicates mandated regulatory requirement changes and internal policy changes.

End Section 30.9.7.2 – K CUECs – Debt Referral (MSP and Non-MSP) (HIGLAS): Back to Table of Contents 30.9.8 – L CUECs – Non-MSP Debt Collection (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) L – Control Objective Number

L – CUEC Description

L.1, L.3 and L.5 The initial demand letter is either manually created or systematically created in HIGLAS. The content of the initial demand letters and Intent to Refer (ITR) letters are consistent with CMS instructions.

L.1, L.3 and L.5 As under tolerance overpayments reach the threshold, HIGLAS automatically aggregates and demands the debt.

L.1, L.3 and L.5 CMS ensures the Contractor has the ability in HIGLAS to make adjustments and generate various HIGLAS reports on an as-needed basis for debt management.

L.2 CMS Regional Office reviews and approves Extended Repayment Schedules (ERS) that exceed 36 months.

L.3 CMS provides quarterly interest rate updates, and interest is automatically calculated by the system on the overpayment.

L.4 CMS provides guidance to the Contractor upon receipt of a notification of bankruptcy of a debtor.

L.5 CMS reviews and approves the Write-Off Reports.

L.8 CMS Systems are configured to stop collection activity once overpayment cases are updated with certain appeal statuses.

ALL CMS accurately and timely communicates mandated regulatory requirement changes and internal policy changes.

L – Control Objective Number

L – CUEC Description

No Corresponding Control Number

CMS establishes systematic controls to ensure recoupment of Medicare overpayments and Federal tax and non-tax debts in accordance with the Federal Payment Levy Program (FPLP), which is managed by the Internal Revenue Service (IRS).

End Sections 30.9.8 – L CUECs – Non-MSP Debt Collection and 30 – Internal Control Reporting Requirements: Back to Table of Contents 40 - Corrective Action Plans (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) CMS contractors are subject to various financial management and information technology (IT) audits/reviews performed by the OIG, GAO, independent CPA firms, and the CMS staff to provide reasonable assurance that contractors have developed and implemented internal controls. The results of these audits/reviews indicate whether the contractors’ internal controls are operating as designed. Correcting these deficiencies is essential to improving financial management and internal control. Therefore, audit resolution remains a top priority at CMS. The CMS has established policies and procedures to ensure that the contractors have appropriate CAPs for addressing findings identified through the following:

• CFO financial or information technology (IT) audits related to annual CFO Financial Statement audits, which may include network vulnerability assessment/security testing (NVA/ST);

• SSAE 18 audits;

• Health & Human Services (HHS), OIG Information Technology (IT) Controls

Assessments;

• Financial reviews conducted by the GAO;

• CMS’ 1522 and CMBRW workgroup reviews;

• CMS’ CPIC reviews; and

• OMB Circular A-123 Appendix A reviews. Administrative cost audits, provider audits conducted by the OIG, the contractor initiated systems security annual compliance audits, and system penetration tests are excluded from these procedures. The word “finding” includes control deficiency, significant deficiency, and material weakness. For SSAE 18 audits, CAPs to be submitted to CMS

are required for findings noted in the opinion letter only (Section I), not those reported in Section III/IV of the SSAE 18 report. Section III/IV findings are not required to be included on the Initial and Quarterly CAP Reports. Section III/IV findings shall be tracked internally and corrected. Contractors are required to prepare and maintain documentation to support the status and corrective actions taken on Section III/IV findings. It shall be available for review and submitted to CMS central and/or IFM office, upon request. For A-123 Appendix A reviews, the contractor shall submit corrective action plans for all deficiencies: control deficiencies, significant deficiencies, and material weaknesses. Back to Table of Contents 40.1 - Submission, Review, and Approval of Corrective Action Plans (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) Upon completion of any of the audits/reviews noted in Section 40, with the exception of the CPIC, the contractor will receive a final report from the auditors/reviewers noting all findings identified during their audit/review. Within 45 calendar days of the date of electronic receipt of the final report, the contractor is required to submit an Initial CAP Report, using the excel Initial CAP Report that is found in Section 40.6. The excel Initial CAP Report can be obtained via email upon request from CAPS@cms.hhs.gov. For SSAE 18, CFO, and A-123 Appendix A reviews, initial CAPS are due within 45 calendar days of the electronic receipt date of the final report. When submitting the Initial CAP Report, the email subject line shall denote the following information: Initial CAP Report, IOM entity abbreviated name (see Section 40.3, Table I), jurisdiction code, and reporting due date. The Initial CAP Report shall address new findings that have been assigned a finding number either by the auditor/reviewer (e.g., SSAE 18 audit or A-123 Appendix A review) or by the contractor (i.e., CPIC). All entities shall submit an Initial CAP Report even if the entity has no new findings. If there are no findings, this should be annotated on the Initial CAP Report. The CAP shall summarize the procedures that have been or will be implemented to correct the finding. Upon receipt of the Initial CAP Reports, the Internal Control Team will send the reports to the appropriate CMS business owner for review of the CAP. Business owners may either approve the CAP as submitted, or may request additional information to be included in the CAP. All business owner comments shall be provided to the contractors before the due date of the next Quarterly CAP Report. Responses to the CMS business owner comments on the initial CAPs shall be included in the next Quarterly CAP Report due after the date of receipt of the comments. After an initial CAP has been submitted, the CAP shall be merged onto the Quarterly CAP report. This report will contain all findings and CAPs that have not been closed through an official CMS CAP closure letter and provide updates to the actions taken to resolve the findings. All entities shall submit a Quarterly CAP Report even if the entity has no CAPs. If there are no open CAPs, this must be annotated on the Quarterly CAP Report. Only one Quarterly CAP Report shall be submitted for each jurisdiction that shall include all FYs and review types, i.e., SSAE 18 audits, A-123 reviews, CFO audits, etc.

The quarterly updates will also be reviewed; however, CMS will not respond to the quarterly updates unless the CAP indicates that the contractor is not making adequate progress on implementing the CAP or has made significant changes to target completion dates. The Quarterly CAP Report is due within 30 days following the end of each quarter. Therefore, all electronic and hardcopy CAP reports should be received by CMS on or before January 30, April 30, July 30, and October 30 annually. When submitting the Quarterly CAP report, the email subject line shall denote the following information: Quarterly CAP Report, IOM entity abbreviated name (see Section 40.3, Table I), jurisdiction code, and reporting due date. The Quarterly CAP Report shall address all open findings, as well as continue to report information on all findings reported as closed by the contractors until CMS sends the contractor a closeout letter indicating which findings are officially closed. After the contractor receives the closeout letter, the CAP shall be removed from the Quarterly CAP Report. Submit Initial and Quarterly CAP Reports electronically to: CAPS@cms.hhs.gov. Contractors are required to furnish an electronic copy of the CAP reports to their CMS Associate IFM Administrator for Financial Management and Fee for Service Operations, and the designated IFM CFO coordinator. MACs and DME MACs shall submit initial and quarterly CAPs to the CAPS@cms.hhs.gov mail box, and the MAC COR. RDS and MSPRC shall submit initial and quarterly CAPs to the CAPS@cms.hhs.gov, and the central office COR. NOTE: If the electronic copy of the Initial and Quarterly CAP Reports has the Vice President (VP) of Operations electronic signature or is sent from the VP of Medicare Operations email or the CFO’s email, then a hardcopy is not required to be sent to CMS. Otherwise, a hardcopy is required. Contractors shall maintain and have available for review backup documentation to support implementation of each CAP. This will facilitate the validation of CAPS by CMS or its agents. End Section 40.1 – Submission, Review, and Approval of Corrective Action Plans: Back to Table of Contents 40.2 - Corrective Action Plan (CAP) Reports (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) The Initial or Quarterly CAP Report shall include the data explained below using the excel template located in Section 40.6; in addition to a Field Legend providing field completion instructions. Findings should be grouped by type of review (i.e. CFO, SSAE 18, A-123 Appendix A, CPIC, etc.). Definitions of CAP report data fields: A. Contractor – The abbreviated name assigned to the Medicare Administrative Contractor (MAC), Shared System Maintainer (SSM), Data Center (DC), RDS or MSPRC see tables 2, 3, and 4 in Section 40.3.

B. Fiscal Year (XX) – The last two digits of the fiscal year reviewed/audited (e.g., FY 2020 would be entered as 20). C. Review/Audit Type – Refer to Section 40.3 Table 1 to identify the code for the review or audit type performed. D. CAP No. – Sequential three digit number (starting with 001) issued by the auditor/reviewer (or assigned by the contractor if it is a CPIC material weakness) for each finding type. E. Jurisdiction Identifier – Applicable to MACs only-refer to Section 40.3 Table 2 for jurisdiction code. F. Repeat CAP – Indicate if original CAP has any repeat CAPs (“Yes”/”No”). G. CAP Repeat Number – For Quarterly CAP reporting, if a finding is repeated or duplicated in subsequent years or reported in more than one type of review, provide all other CAP ID Nos. for that issue. Repeat finding numbers listed for a particular finding shall be an identical issue, not a related or similar issue and have been identified as a repeat by the auditors in their audit report. Findings with a repeat finding number shall only be listed once on the CAP report. Repeat finding numbers shall only be reported in the “CAP ID Number” column in the Initial CAP Report for new repeat findings identified. For the Quarterly CAP Report, the “CAP ID Number” column will be populated with the primary (original) finding number only. The primary finding number is the finding number that was identified first. If in subsequent audit/review, the same finding is identified by the auditors, the auditors will assign a finding number applicable to the type of audit/review being conducted, and also note in the audit report that it is a repeat finding of a prior audit. The auditor should also note the primary (original) finding number so that the findings can be easily linked. H. Control objective(s) impacted – Required only for SSAE 18 findings, A-123 Appendix A findings, and CPIC material weaknesses. This represents the control objective number(s) impacted by an identified finding. More than one control objective may be impacted for each finding but you need to prioritize and limit the control objectives impacted to no more than five. Note the CMSR number should not be reported in this field. I. Deficiency Description – A detailed description of the finding as identified by the auditor/reviewer in their final report or the material weakness as reported in the CPIC. J. Deficiency Classification – This column is reserved for use by the CMS internal control team. 1. CAP ID No. – This field represents the unique identification number assigned to each

deficiency requiring a CAP (formula driven). 2. CAP Description – A description of the planned remediation strategy to eliminate or

mitigate the deficiency identified. The CAP should address the root cause of the deficiency.

3. Progress Milestones – Sequentially numbered specific action-oriented steps that

facilitates the CAP progress for each deficiency being remediated. Progress milestones shall not change once established. Any revision to an original progress milestone shall be documented in the “2. CAP Description” column and considered an amendment to the original progress milestone. Any changes to the original CAP

shall be submitted to CMS for approval by the Business Owner. All steps (milestones) shall be included in one cell.

4. Original Target Completion Date – A target completion date must be assigned to

every CAP and progress milestone within the CAP to include (MM/DD/YYYY). The target date shall not change once it is recorded.

5. Revised Target Completion Date – If the original target completion date is revised;

the revised date should be included in this column and the reason for the revision should be documented in column “2. CAP Description” (MM/DD/YYYY). Note all changes in the original target completion date shall be submitted to CMS for approval by the Business owner.

6. Actual Completion Date – An actual completion date shall be recorded for every CAP

and progress milestone within the CAP to include (MM/DD/YYYY) the remediation of the deficiency was validated as effective.

7. CAP Status – A status reflecting the disposition of the CAP must be assigned and

updated as necessary for each deficiency being remediated. Status options for deficiencies assessment include:

i. Open – Remediation efforts are in progress and the target completion date

has not passed;

ii. Delayed – Remediation efforts are in progress after the original target completion date has passed. Explanations/justifications for delayed status must be documented in the CAP;

iii. Closed – Pending – Verification and validation efforts have been completed

and the CAP is awaiting closure by the issuing party (e.g., SSAE 18 Auditor, A-123 Assessor).

iv. Closed – Validation and verification procedures demonstrate remediation

efforts were adequately addressed, proven effective, and remediation efforts have been closed by parties authorized to close CAPs (i.e. SSAE 18 auditors, A-123 contractor); and

v. Cancelled – Remediation efforts have ceased because the remediation was

recorded inadvertently or erroneously, or it can be demonstrated that the remediation effort is no longer relevant. Explanations/justifications for cancelled statuses must be document in the CAP and approved by the Business Owner.

8. CAP Lead 1 – Individual responsible for managing corrective action efforts must be

assigned and documented for each deficiency being remediated. 9. CAP Lead 2 – Not applicable to Medicare Contractors.

10. CAP Lead 3 – Not applicable to Medicare Contractors. 11. Executive Sponsor 1 – The senior executive official accountable for the deficiency

and the associated CAP must be documented for each deficiency requiring a CAP. 12. Executive Sponsor 2 – Not applicable to Medicare Contractors. 13. Executive Sponsor 3 – Not applicable to Medicare Contractors. 14. Testing Document Reference – Not applicable to Medicare Contractors. 15. Sport/Prosight Identifier – Not applicable to Medicare Contractors. 16. Root Cause Analysis (RCA) Methodology – RCA is the examination process used to

determine the underlying events(s) that cause the deficiency; the approach technique used to uncover causes of problems. Also, RCA can be seen as the process utilized to help identify what, how, and why an event occurred so that steps can be taken to prevent future occurrences. RCA documentation should be available upon request from the CAP Lead and include the decision process used to determine the RCA approach, and all supporting documentation (e.g. walk through documentation, meeting minutes, various dates analysis, emails, etc.).

17. Not for use by contractor 18. Progress Milestone Status – Each progress milestone must have an assigned status

reflecting its disposition. Status options for deficiencies include:

i. Open – Remediation efforts are in progress and the target completion date has not passed;

ii. Delayed – Remediation efforts are in progress and after the original target

completion date has passed. Explanations/justifications for delayed status must be documented in the CAP;

iii. Closed – Pending – Verification and validation efforts have been completed

and the CAP is awaiting closure by the issuing party (e.g., SSAE 18 Auditor, A-123 Assessor).

iv. Closed – Validation and verification procedures demonstrate remediation

efforts were adequately addressed, proven effective, and remediation efforts have been closed by parties authorized to close CAPs (i.e. SSAE 18 auditors, A-123 contractor); and

v. Cancelled – Remediation efforts have ceased because the remediation was

recorded inadvertently or erroneously, or it can be demonstrated that the remediation effort is no longer relevant. Explanations/justifications for cancelled statuses must be document in the CAP and approved by the Business Owner.

End Section 40.2 – Corrective Action Plan (CAP) Reports: Back to Table of Contents 40.3 - CMS Finding Numbers (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) Finding Numbers should be assigned using the following instructions. Each section of digits should be separated by a dash.

A. The first three, four, or five digits are letters, which identify the name of the contractor. Each contractor is assigned a unique set of letters listed below. Finding numbers ending with D & J are defined as follows:

• End letter “D” represents a DME MAC (e.g. ZZZD or ZZZZD) • End letter “J” represents a A/B MAC (e.g. ZZZJ or ZZZZJ)

B. The second two digits are the last two numbers of the year of the review. C. The next one digit is a letter to identify the review/audit type. D. The last three digits are three numbers assigned sequentially to each finding type

beginning with 001.

Table 1 – REVIEW/AUDIT TYPE Findings resulting from the following types of audits or reviews should be reported using the Initial and Quarterly CAP Reports. Choose one from the following list: Review / Audit Letter

Review / Audit Description

A A-123 Appendix A Non-IT C CPIC (Your Annual Self Certification Package) E CFO EDP Audit F CFO Financial Audit G GAO Review (Financial Reviews) I A-123 Appendix A IT M CMS’ CPIC Reviews O OIG Review HHS / OIG / IT Controls Assessment P CMS’ 1522 and CMBRW Reviews S SSAE 18 Audit V CFO Related NVA / ST W IFM Review

Table 2 – A/B, DME, AND SPECIALTY MAC CONTRACTOR

ABBREVIATIONS A/B, DME, and Specialty MAC Contractor Name and Jurisdiction

A/B / DME / SMAC Abbreviation

Noridian Healthcare Solutions, LLC, Durable Medical Equipment (DME) MAC JA & JD

NORD

CGS Administrators, LLC, DME MAC, JB & JC

CGSD

A/B, DME, and Specialty MAC Contractor Name and Jurisdiction

A/B / DME / SMAC Abbreviation

Wisconsin Physicians Service Insurance Corporation, A/B MAC, J5 & J8

WPSJ

National Government Services, Inc., A/B MAC, J6 & JK

NGSJ

CGS Administrators, LLC, A/B MAC, J15

CGSJ

Noridian Healthcare Solutions, LLC, A/B MAC, JE & JF

NORJ

Novitas Solutions, Inc., A/B MAC, JH & JL

NOVJ

Palmetto GBA, LLC, A/B MAC, JJ & JM

PGBAJ

First Coast Service Options, Inc., A/B MAC, JN

FCSOJ

Palmetto GBA, LLC, Railroad Retirement Board (RRB) Specialty MAC (SMAC)

PGBAR

Table 3 – CONTRACTOR ABBREVIATIONS

Contractor Name and Area Contractor

Abbreviation Novitas Solutions, Inc., Affordable Care Act Exchange Oversight Contractor

NOVA

General Dynamics Information Technology (GDIT), Benefits Coordination and Recovery Center (BCRC), Medicare Secondary Payer Recovery Contractor (MSPRC)

GDITB

Palmetto GBA, LLC, Pricing, Data Analysis, and Coding (PDAC)

PGBAP

Performant, Commercial Repayment Center (CRC), MSPRC

PER

General Dynamics Information Technology (GDIT), Retiree Drug Subsidy (Part D Contractor)

GDITR

Table 4 – SHARED SYSTEM MAINTAINER ABBREVIATIONS

Shared System Maintainer Name and Area SSM

Abbreviation DV United, LLC, Common Working File (CWF)

CWF

Data Computer Corporation of America, Single Testing Contractor (STC)

DCCA

Enterprise Services Plano, Fiscal Intermediary Standard System (FISS)

FISS

Enterprise Services Plano, Multi-Carrier System (MCS)

MCS

Shared System Maintainer Name and Area SSM Abbreviation

General Dynamics Information Technology, Viable Medicare System (VMS) / DME Claims Processing System

VMS

Table 5 – DATA CENTER ABBREVIATIONS

Data Center Name and Area DC

Abbreviation Companion Data Services (CDS), General Support System (GSS), Virtual Data Center (VDC)

CDS

Data Computer Corporation of America (DCCA), Medicaid Budget and Expenditure System (MBES)

MBES

Perspecta – Tulsa, OK VDC, Electronic Data System (EDS)

EDS

Leidos – Culpepper, VA, Healthcare Integrated General Ledger Accounting System (HIGLAS)

LEI

General Dynamics Information Technology GHI (New York, NY)

GDIT

End Section 40.3 – CMS Finding Numbers: Back to Table of Contents 40.4 - Initial CAP Report (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) All initial CAPs shall be reported on the Initial CAP Report. After this initial submission, CAPs shall be merged onto the Quarterly CAP Report. All CAPs, for the reviews noted in Section 40, shall be consolidated onto one Quarterly CAP Report. However, if you have findings for an affiliated DC or SSM shown above, these findings shall also be reported using the CMS FISMA Controls Tracking System (CFACTS). A separate CAP report shall be submitted for each contractor, as listed in Section 40.3. The contractor shall use the Initial CAP Report, as an Excel spreadsheet and add their data following the steps below. The format of the spreadsheet should not be altered; however, the column width and row height may be adjusted to accommodate data entry. Additionally, this electronic file should be labeled Initial CAP Report, should be identified using the contractor abbreviations found in Section 40.3, and should include the submission date. For example, the initial CAP Excel file should be named as follows:

Contractor Name Example Initial CAP File Name Healthcare Company Name 20YYMMDD_HCA_Initial_CAP_Report.xls

The Initial CAP Report template can be found in Section 40.6. End Section 40.4 – Initial CAP Report: Back to Table of Contents 40.5 - Quarterly CAP Report

(Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19) The contractor shall use the Quarterly CAP Report, as an Excel spreadsheet and add their data accordingly, changes are only allowed to be made to the column width and row height to accommodate data entry. Quarterly CAP Electronic File Labeling: The electronic file shall be labeled with the following information:

1. Submission Date: Year, Month, and Date (YYYYMMDD) a. 1st Quarter FY 20YY: 01/30/20YY = 20YY0130 b. 2nd Quarter FY 20YY: 04/30/20YY = 20YY0430 c. 3rd Quarter FY 20YY: 07/30/20YY = 20YY0730 d. 4th Quarter FY 20YY: 10/30/20YY = 20YY1030

2. Contractor Abbreviation & Jurisdiction: See Tables 2-5 from Section 40.3 3. File Description: Quarterly_CAP_Report

For example, the Microsoft Excel file names for the 4th Quarterly CAP Reports for FY 20YY due on Wednesday, October 30th, 20YY should be named as follows:

Contractor Name Example Quarterly CAP File Name Healthcare Company Name 20YY1030_HCA_Quarterly_CAP_Report.xls

The Quarterly CAP Report template can be found in Section 40.6. End Section 40.5 – Quarterly CAP Report: Back to Table of Contents 40.6 - CMS Initial and Quarterly CAP Report Template (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) The contractor shall use the CMS Initial and Quarterly CAP Microsoft Excel Report Template for CAP reporting. This template supersedes all prior templates issued, and can also be obtained via email upon request from: CAPS@cms.hhs.gov. Additionally, any Initial and Quarterly CAPs questions and or concerns can be submitted to CAPS@cms.hhs.gov.

CMS CAP Report Template.xlsx

End Sections 40.6 – CMS Initial and Quarterly CAP Report Template and 40 – Corrective Action Plans: Back to Table of Contents 50 – List of CMS Contractor Control Objectives (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) Control Number

Control Objectives

Back to Table of Contents 50.1 – A Controls – Information Systems (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21)

Control Objective – Information Systems A.1 - A.11 Security Management: Controls provide reasonable assurance that

security management is effective. A.1 Controls provide reasonable assurance that management has

established, documented, and approved an entity-wide security program in accordance with the current CMS Acceptable Risk Safeguards (ARS), Business Partners Systems Security Manual (BPSSM), and other applicable policy including that the security program:

• Is monitored and kept up-to-date in accordance with the current ARS requirements.

• Includes requirements to establish a security management structure that has appropriate independence, authority, expertise, and resources.

• Clearly assigns security responsibilities throughout the organization.

• Ensures that management implements, maintains, and updates the organization security policy and procedures in accordance with CMS guidance.

A.2 Controls provide reasonable assurance that security risks are periodically assessed and appropriately mitigated in accordance with the current CMS ARS, BPSSM, and other applicable policy. A risk assessment and supporting activities of the criticality and sensitivity of computer operations, including all network components, IT platforms and critical applications has been established and updated periodically based on ARS and Federal requirements. The assessment includes, but may not be limited to, identification of threats, known system vulnerabilities, system flaws, or weaknesses that could be exploited by threat sources.

Control Objective – Information Systems A.3 Controls provide reasonable assurance that information systems and

resources are categorized based on the potential impact that the loss of confidentiality, integrity, or availability would have on operations, assets or individuals in accordance with the current CMS ARS, BPSSM, and other applicable policy.

A.4 Controls provide reasonable assurance that a system security plan(s) (SSP) has been documented, approved, and reviewed by management in accordance with the current CMS ARS, BPSSM, and other applicable policy. The SSP covers all major facilities and operations supporting the CMS Medicare program and is updated and maintained within CFACTS in accordance with the ARS and current version of the CMS Risk Management Handbook (RMH).

A.5 Controls provide reasonable assurance that management develops and maintains a current inventory of hardware, software, platforms, information systems, and other tools / devices that support the Medicare program in accordance with the current CMS ARS, BPSSM, and other applicable policy.

A.6 Controls provide reasonable assurance that security related personnel-policies are implemented that include performance of background investigations (initial and / or periodic) in accordance with the current CMS ARS, BPSSM, and other applicable policy.

A.7 Controls provide reasonable assurance that security related personnel-policies are implemented that include transfer and separation procedures which require:

• Review and appropriate update, if necessary, of logical and physical access rights for transferred personnel.

• Exit interviews, return of property, such as keys and ID cards, timely notification to security management of separations, removal of physical and logical access to systems and escorting of separated personnel out of the facility.

Performance of transfer and separation processes are in accordance with the current CMS ARS, BPSSM, and other applicable policy.

A.8 Controls provide reasonable assurance that personnel including employees, contractors, and vendors, are aware of security policies and procedures. Initial security awareness training, ongoing security awareness training, and role specific training for individuals with significant security responsibilities is documented, completed, and monitored by management. The security training program and content of training are in accordance with the current CMS ARS, BPSSM, and other applicable policy.

Control Objective – Information Systems A.9 Controls provide reasonable assurance that management has

implemented appropriate risk management and security assessment and authorization (SA&A) processes in accordance with the current CMS ARS, BPSSM, and other applicable policy including the following:

• SA&A policies and procedures are documented, kept up-to-date, maintained and approved by management.

• Security Assessments are planned and conducted • A corrective action management process is in place that

includes planning, implementing, evaluating, and fully documenting remedial action addressing findings noted from all security audits and reviews of IT systems, components, and operations. Plan of Action and Milestones (POA&Ms) and corrective action plans are developed and monitored to address weaknesses.

• Authorizing Official (AO) authorizes the information system for processing prior to commencing any operations and periodically thereafter.

A.10 Controls provide reasonable assurance that management continuously monitors the effectiveness of the security program including security operations and completion of vulnerability assessments in accordance with the current CMS ARS, BPSSM, and other applicable policy.

A.11 Controls provide reasonable assurance that external third party activities of sub-service organizations (i.e. sub-contractors) are secure, documented, and monitored in accordance with the current CMS ARS, BPSSM, and other applicable policy.

A.12 - A.20 Access Controls and Segregation of Duties: Controls provide reasonable assurance that access to computer resources (data, equipment, and facilities) is reasonable and restricted to authorized individuals and that incompatible duties are effectively segregated.

A.12 Controls provide reasonable assurance that access, including remote access, to significant computerized applications (such as claims processing), accounting systems, systems software, and Medicare data are appropriately authorized, documented, reviewed, and monitored and includes approval by resource owners, procedures to control emergency and temporary access and procedures to share and properly dispose of data. Procedures are performed timely and in accordance with the current CMS ARS, BPSSM, and other applicable policy.

A.13 Controls provide reasonable assurance that inactive logical access accounts and accounts for separated individuals are disabled and / or removed in a manner that satisfies the current CMS ARS, BPSSM, and other applicable policies.

Control Objective – Information Systems A.14 Controls provide reasonable assurance that multifactor

authentication is implemented in accordance with the current CMS ARS, BPSSM, and other applicable policy.

A.15 Controls provide reasonable assurance that password based authentication is configured in accordance with the current CMS ARS, BPSSM, and other applicable policy.

A.16 Controls provide reasonable assurance that access to sensitive system resources and privileged accounts / functions are restricted to individuals with a need-to-know and activities are appropriately logged and monitored. Additionally, Management segregates incompatible duties between various system and Medicare operations functionality which is supported by appropriate documentation, approvals, and monitoring.

A.17 Controls provide reasonable assurance that management identifies system functions, events, and access permissions that require audit logging and implements an effective audit log monitoring capability in accordance with the current CMS ARS, BPSSM, and other applicable policy.

A.18 Controls provide reasonable assurance that management has documented, implemented, and approved an effective security operations and incident response program which includes processes to:

a) identify and log suspicious activity, sensitive and privileged functions, and potential security events / incidents,

b) monitor systems and networks audit logs, unusual activity, and / or intrusion attempts,

c) correlate log data, d) analyze potential incidents, and e) report on security events, incidents, and intrusions in

accordance with the current CMS ARS, BPSSM, and other applicable policy.

A.19 Controls provide reasonable assurance that physical access to sensitive IT areas (such as Medicare facilities, data centers and system hardware) by all employees, contractors, vendors, and/ or visitors is appropriately authorized, documented, and reviewed in accordance with the current CMS MAC ARS, BPSSM, and other applicable policy.

A.20 Control number A.20 reserved. Control not in use as of this IOM revision.

A.21 - A.26 Configuration Management: Controls provide reasonable assurance that changes to information system resources are authorized and systems are configured and operated securely and as intended.

Control Objective – Information Systems A.21 Controls provide reasonable assurance that configuration

management policies, plans, and procedures are established, documented, kept up-to-date, and approved in accordance with the current CMS ARS, BPSSM, and other applicable policy including the following:

• A System Development Life Cycle (SDLC) methodology is documented and in use and aligns with the CMS eXpedited Life Cycle (XLC).

• Change management policies and procedures that have been developed, documented, and implemented include documented testing and approval of changes for regular and emergency changes.

A.22 Controls provide reasonable assurance that Medicare application and related systems software development and maintenance activities (e.g. quarterly releases, off-quarterly releases, and emergency changes) are authorized, documented, tested, and approved in accordance with the current CMS ARS, BPSSM, and other applicable policy.

A.23 Controls provide reasonable assurance that access to program libraries is properly restricted and movement of programs among libraries is controlled.

A.24 Controls provide reasonable assurance that management has established and consistently monitors information security related configuration for information technology in accordance with the current CMS ARS, BPSSM, and other applicable Federal standards and best practices including the following:

• Develops and maintains a security configuration baseline for information technology that aligns with CMS requirements and industry standards.

• Reviews the IT environment against the baseline. • Remediates misconfigurations in a timely fashion. • For misconfigurations that cannot be remediated timely, a

plan of action and milestones (POA&M) or other corrective action plan is created, documented, and approved.

• Deviations from CMS or other standards are analyzed and approved.

• Results of periodic assessments are reported to CMS.

Control Objective – Information Systems A.25 Controls provide reasonable assurance that management has

established a vulnerability management program in accordance with the current CMS ARS, BPSSM, and other applicable policy that includes:

• Scanning to identify vulnerabilities and unauthorized and unsupported software.

• Disabling / removing unauthorized and unsupported software in a timely manner.

• Remediation of vulnerabilities in a timely manner. • Creation of corrective action plans or POA&Ms if

vulnerabilities cannot be remediated timely. Further, software is updated (patched) in a timely fashion to protect against vulnerabilities in accordance with the current CMS ARS, BPSSM, and other applicable policy.

A.26 Controls provide reasonable assurance that an effective virus, spam and spyware protection process is documented, approved, and implemented in accordance with the current CMS ARS, BPSSM, and other applicable policy.

A.27 - A.28 Contingency Planning: Controls provide reasonable assurance that contingency planning:

(1) protects information resources and minimizes the risk of unplanned interruptions and

(2) provides for recovery of critical operations should interruptions occur.

A.27 Controls provide reasonable assurance that information system backup and recovery procedures have been implemented in accordance with the current CMS ARS, BPSSM, and other applicable policy including:

• Development, approval and maintenance of an up-to-date contingency plan and / or disaster recovery plan.

• Periodic testing of contingency and / or disaster recovery plans.

• Updating plans based on lessons learned. A.28 Controls provide reasonable assurance that appropriate environment

protections for sensitive areas such as data centers are implemented in accordance with the current CMS ARS, BPSSM, and other applicable policy.

End Section 50.1 – A Controls – Information Systems: Back to Table of Contents 50.2 – B Controls – Claims Processing (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19)

B – Control Number

Control Objective – Claims Processing

B.1 The Medicare claims processing system tracks each claim from receipt to final resolution.

B.2 Controls provide reasonable assurance that fee-for-service information system edits and / or validations are configured in accordance with CMS guidelines including:

• Management maintains a current baseline of edit configurations in accordance with CMS guidelines.

• Management assesses the current configuration of edits against the baseline periodically.

• For misconfigured edits Management remediates the configuration in a timely fashion.

• Management reports results of reconciliations / reviews to CMS periodically.

(Maintainer Only. Applicable for A-123 Reviews)

B.3 The system generates an audit trail with respect to each claim, adjustment, or other related transaction. Such audit trail shall include the results of each applicable claim edit. (Maintainer Only. Applicable for A-123 Reviews)

B.4 Each claim is adjudicated in accordance with CMS instructions.

B.5 Claims are reopened in accordance with CMS guidelines and readjudicated in accordance with CMS instructions.

B.6 Claim payment amounts are calculated in accordance with CMS instruction. Fee schedules are properly received, logged, and changed in the system and monitored, and applied in accordance with CMS instructions.

B.7 The system shall identify and deny duplicate claims in accordance with CMS instructions. (Maintainer Only. Applicable for A-123 Reviews)

B.8 Claims are properly aged from the actual receipt date to the actual date of payment in compliance with CMS instructions.

B.9 The system shall detect apparent fraudulent or abusive practices in accordance with CMS instructions. Personnel are trained to detect fraudulent and abusive practices and, in accordance with CMS instructions, to deter such practices. Any such apparent fraudulent or abusive practices as are identified are documented and reported in accordance with CMS instructions.

End Section 50.2 – B Controls – Claims Processing: Back to Table of Contents 50.3 – C Controls – Appeals (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) C – Control Number

Control Objective – Appeals

C.1 Medicare Part A and Part B redeterminations processed by MACs are processed based on CMS instructions, appropriately logged and completed within legislatively mandated time frames and tracked to meet CMS guidelines. (Does not pertain to MSPRC. Refer to C.3 for MSPRC control objective.)

C.2 Medicare Part B redeterminations processed by MACs are processed based on CMS instructions, appropriately logged and completed within legislatively mandated time frames and tracked to meet CMS guidelines. (Does not pertain to MSPRC. Refer to C.3 for MSPRC control objective.)

C.3 Redeterminations processed by the MSPRC are processed based on CMS instructions, appropriately logged and completed within legislatively mandated time frames and tracked to meet CMS guidelines.

C.4 Qualified Independent Contractor (QIC) request for case files are handled in compliance with CMS time frames.

C.5 Effectuations are processed as directed by CMS guidelines.

C.6 Contractor communications are clear and in compliance with CMS’ instructions to include specific communications such as acknowledgement letters, decision letters, and information on additional appeal rights, etc.

End Section 50.3 – C Controls – Appeals: Back to Table of Contents 50.4 – D Controls – Beneficiary / Provider Services (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18)

D – Control Number

Control Objective – Beneficiary / Provider Services

D.1 Personally identifiable health information, which is used and disclosed in accordance with the Privacy Act, is handled properly. (Internet Only Manual (IOM) Chapter 2-20.1.8-Beneficiary Customer Service; IOM Pub. 100-09, Chapter 6-Provider Customer Service Program).

D.2 Beneficiary and Provider written inquiries are retained and handled accurately, appropriately, and in a timely manner. (IOM Chapter 2-20.2 – Written Inquiries; IOM Pub. 100-9, Chapter 6-Provider Customer Service Program).

D.3 Telephone inquiries are answered timely, accurately, and appropriately. (IOM Chapter 2-20.1 Telephone Inquiries; IOM Pub. 100-09, Chapter 6-Provider Customer Service Program).

End Section 50.4 – D Controls – Beneficiary / Provider Services: Back to Table of Contents 50.5 – E Controls – Complementary Credits (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) E – Control Number

Control Objective – Complementary Credits

E.1 Contractors shall report cash received from the BCRC for COBA crossover claims as the cash is received in the CMS Analytical, Reporting, & Tracking system (CMS ART).

E.2 Control number E.2 reserved. Control not in use as of IOM revision number 228.

End Section 50.5 – E Controls – Complementary Credits: Back to Table of Contents 50.6 – F Controls – Medical Review (MR) (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18)

F – Control Number

Control Objective – Medical Review (MR)

F.1 Contractor shall use the Program Integrity Manual (PIM) guidelines, data analysis (prior year and most current) and Medical Review (MR) results including Strategy Analysis Report (SAR), and Comprehensive Error Rate Testing (CERT) results to develop and update the Improper Payment Reduction Strategy (IPRS). The problem-focused outcome-based IPRS report shall address provider specific problems, and service-specific problems only in the rare circumstance it is approved by CMS. The IPRS shall focus its medical review activities toward the goal of reducing the claims improper payment rate. All work performed by the MR unit shall be identified in the IPRS and targeted based on the contractor’s prioritized problem list or as directed by CMS.

F.2 Contractor shall budget and perform the MR workloads throughout the year as established in the IPRS. MACs shall report workload volume, and costs associated with MR activities in CMS Analysis, Reporting, and Tracking (ART) systems or as directed by the COR. MACs shall explain any significant fluctuations in workload or costs in the Monthly Status Report and SAR.

F.3 Contractor shall perform data analysis continuously to identify potential problems such as aberrant billing practices, potential of over-utilization areas, and changes in patterns of care to target medical review activities to reduce the claims improper payment rate. Data from a variety of sources must be used for data analysis. At a minimum, sources include: contractor internal data; CMS program vulnerability alerts such as Quarterly Vulnerability Technical Direction Letters that require corrective action reporting, FATHOM/PEPPER and other comparative billing reports; results from medical review studies performed by specialty MR or Program Integrity contractors; and other national or regional sources such as Office of Inspector General (OIG) reports, Government Accountability Office (GAO) reports, enrollment data, and fraud alerts.

F.4 Contractor shall ensure that effective MR edits are developed and implemented as a result of data analysis findings and policies. The effectiveness of each MR edit shall be analyzed and measured by tracking the denial rate, appeals reversal rate, basis of the appeals reversal, and the dollar return on the cost of operationalizing the edit (savings), and success of edit towards billing behavior correction. MR edits shall be modified, deleted, or deactivated when they are determined to no longer be effective.

F – Control Number

Control Objective – Medical Review (MR)

F.5 Contractor shall utilize the Progressive Corrective Action (PCA) process and Targeted Probe and Educate (TPE) process, in accordance with the Pub. 100-08 and CMS instructions, to drive MR activity (i.e., data analysis, claims review, medical review education).

PCA would only apply to MR activity performed before TPE was started by the MAC and/or in a CMS approved MR activity.

F.6 Contractor shall be capable of identifying the status of each claim subjected to medical review at any time (and all claims must be processed timely for closure in accordance with Pub. 100-08 instructions).

F.7 Control number F.7 reserved. Control not in use as of IOM revision number 278.

F.8 The MR unit shall effectively collaborate with Provider Outreach and Education (POE) by referring educational needs that will address existing program vulnerabilities and emerging problems identified during the MR process conducted throughout the fiscal year.

F.9 Contractor shall implement and utilize a Provider Tracking System (PTS) to track all informational provider contacts made by medical review and all educational referrals submitted to POE and external organizations.

F.10 Contractor shall ensure that there is adequate internal networking and sharing of information, and appropriate collaborative actions are taken as a result, between MR and other business functions such as Appeals, Audits, POE, and inquiries and external organizations such as the Zone Program Integrity Contractors (ZPIC), Unified Program Integrity Contractors (UPIC), Recovery Auditors, and Quality Improvement Organizations (QIOs).

F.11 Contractor shall apply quality assurance processes to all elements of the MR Strategy and to all aspects of program management, data analysis, edit effectiveness, problem identification, and claim adjudication.

F.12 Contractor shall effectively comply with all of the MR requirements of the Joint Operating Agreement (JOA) with the PSCs/ZPICs and Recovery Auditors, and other entities as directed by CMS.

F – Control Number

Control Objective – Medical Review (MR)

F.13 Contractor shall institute a corrective action reporting process for claims-specific errors and vulnerabilities in accordance with PIM 3.7.5. For each issue, MACs shall report interim actions, final actions, and action dates.

End Section 50.6 – F Controls – Medical Review (MR): Back to Table of Contents 50.7 – G Controls – Medicare Secondary Payer (MSP) (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) G – Control Number

Control Objective – Medicare Secondary Payer (MSP)

G.1 Medicare Administrative Contractor internal quality controls are established and maintained that ensure timely and accurate processing of secondary claims submitted, including paper MSP claims with a primary payer’s explanation of benefits (EOB) or remittance advice (RA). This includes utilization of the MSPPAY module, resolving all MSP edits (including 6800 codes*), creation of “I” records and resolving suspended claims in accordance with CMS instructions at Publication 100-05 Chapter 5 and 6. Contractor internal systems used to process MSP claims are updated via the Common Working File (CWF) automatic notice in an automated fashion. Suspended claims that require manual intervention are corrected and reviewed by the appropriate suspense staff. This control objective does not pertain to BCRC or the CRC contractors.

G – Control Number

Control Objective – Medicare Secondary Payer (MSP)

G.2 Audit trails for MSP receivables are created and maintained. An audit trail should include details of the source of the receivable, correspondence in date order, reasons for adjustments, referral to treasury, collection of the debt, and any information regarding the establishing, reconciling and resolving a receivable for an outstanding debt. All applicable systems (e.g. HIGLAS) should be updated accurately and timely, and be accessible to the appropriate individuals. This control objective pertains to MACs, BCRC, and CRC Contractors.

G.3.1 Contractors ensure compliance with all CMS instructions and directives relating to MSP Investigations by the Benefit Coordination & Recovery Center (BCRC). This includes the MACs transmitting appropriate, timely and complete Electronic Correspondence Referral System (ECRS) submissions in accordance with Publication 100-05, CWF Assistance Requests and ECRS MSP inquiries to the BCRC as a result of the receipt of a phone call, correspondence, claim or unsolicited check/voluntary refund. All references must be maintained in an area accessible to MSP staff and must be available for CMS review. *The ECRS user guide is located at: Publication # 100-05 The Electronic Correspondence Referral System on the Web (ECRS Web) User Guide. This control objective does not pertain to the CRC Contractor

G.3.2 The Commercial Repayment Center (CRC) must transmit appropriate, timely and complete ECRS submissions and CWF Assistance Request as a result of a phone call, inquiry or correspondence received to ensure debtor information is accurate. The Benefits Coordination and Recovery Center (BCRC) must respond to all ECRS Inquiry and Assistance Requests for all contractors. This control objective pertains to the CRC and the BCRC.

G – Control Number

Control Objective – Medicare Secondary Payer (MSP)

G.4 Contractors identify and track all incoming correspondence to ensure timely acknowledgement, response, and priority compliance with the Statement of Work (SOW) for MACs and other Medicare Contractors. All correspondence includes written inquiries, including letters, faxes, telephone inquiries, e-mails and any other forms of communication to support and complete a correspondence/inquiry action, shall be handled consistently for accuracy, professionalism and timeliness. These tracking mechanisms should include the ability to track ECRS submissions when awaiting response/status from the BCRC, or further actions such as claims adjustments after the BCRC has completed their investigation. This control objective pertains to MACs, BCRC, and CRC Contractors.

G.5 Contractors shall have quality assurance measures in place to ensure the accuracy of the implementation of any CMS directive or any required work process/deliverable expressed in the SOW. Contractors shall also provide evidence that the results from quality assurance checks are documented to identify errors and that training venues are implemented to prevent the reoccurrence of these errors. This control objective pertains to MACs, BCRC, and CRC Contractors.

End Section 50.7 – G Controls – Medicare Secondary Payer (MSP): Back to Table of Contents 50.8 – H Controls – Administrative (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) H – Control Number

Control Objective – Administrative

H.1 For contracts expected to exceed $5.5 Million in value and the performance period is 120 days or more, Contractors shall have a written Contractor Code of Business Ethics and Conduct as required by the Federal Acquisition Regulation (FAR) 3.1004 and FAR 52.203-13. To promote compliance with such code of business ethics and conduct and to ensure that all employees comply with applicable laws and regulations, contractors shall assign oversight responsibility to a member at a sufficiently high level.

H.2 Procurements are awarded and administered in accordance with CMS regulations, CMS general instructions and the Federal Acquisition Regulation.

H.3 Control number H.3 reserved. Control not in use as of IOM revision number 278.

H.4 CMS management structure provides for efficient contract performance.

H.5 Records shall be maintained/retained according to the National Archives and Records Administration (NARA) guidelines, CMS implementing guidelines and other requirements, FAR guidelines and other Federal requirements, as may be identified.

H.6 Contractor’s internal controls provide reasonable assurance that certain regularly scheduled processes required to support the CMS contractor’s continuity of operations in the event of a catastrophic loss of relevant, distinguishable Medicare business unit facilities are performed as scheduled.

End Section 50.8 – H Controls – Administrative: Back to Table of Contents 50.9 – I Controls – Provider Audit (Rev. 331, Issued: 11-15-19, Effective: 10-01-19, Implementation: 12-17- 19)

I – Control Number

Control Objective – Provider Audit

I.1 Interim, tentative and PIP payments to Medicare providers are established, monitored and adjusted, if necessary, in a timely and accurate manner in accordance with CMS general instructions and provider payment files are updated in a timely and accurate manner. Adjustments to interim payments shall be made to ensure that payments approximate final program liability within established ranges. Payment records are adequately protected. All applicable CMS systems are properly updated.

I.2 Information received by the contractor from CMS or obtained from other sources regarding new providers, change of ownership for an existing provider, termination of a provider, or a change of Medicare Administrative Contractor (MAC) are identified, recorded, and processed in System Tracking for Audit and Reimbursement (STAR) in a timely and accurate manner and reflected in subsequent audit activities.

I.3 Provider Cost Reports are properly submitted and accepted in accordance with CMS’ regulations, policies, and instructions. Appropriate program policies and instructions are followed in situations where the provider did not file a cost report. Cost report submission information is timely and properly forwarded to the proper CMS Systems.

I.4 Desk review procedures and work performed are documented and are sufficient to obtain an accurate review of the submitted cost report and are in accordance with the Uniform Desk Review (UDR) Program. Documentation is established and maintained to identify situations requiring a limited desk review or a full desk review.

I.5 Notices of Program Reimbursement (NPR) are issued accurately and timely to providers and include all related documentation (e.g. an audit adjustment report, copy of the final settled cost report).

I.6 Inputs to mandated systems regarding provider audit, settlement, reopening, appeals, and reimbursement performance (STAR) are complete, accurate and in compliance with program instructions. Documentation supporting reports and inputs shall be maintained.

I.7 The contractor’s cost report reopening process is conducted in accordance with CMS regulations and program policy.

I.8 Provider appeals (including both the Provider Reimbursement Review Board (PRRB) and Contractor Appeals) are handled appropriately. Jurisdictional questions are addressed and PRRB timeframes for submission are observed.

I – Control Number

Control Objective – Provider Audit

I.9 Control number I.9 reserved. Control not in use as of IOM revision number 278.

I.10 An internal quality control process has been established and is functioning in accordance with CMS instructions to ensure that audit work performed on providers’ cost reports is accurate, meets CMS quality standards, and results in program payments to providers which are in accordance with Medicare law, regulations and program instructions.

I.11 Cost reports are scoped and selected for audit or settled without audit. Audit plans are approved by the Audit & Reimbursement (A&R) Business Function Lead and adhere to CMS guidelines and instructions.

I.12 The contractor’s audit process is conducted in accordance with CMS manual instructions and timelines, i.e., timeframes for issuance of the engagement letter, documentation requests, pre-exit and exit conferences, and settlement of the audited cost report.

I.13 Communications of audit programs, desk review programs, CMS audit and reimbursement policies, and other audit related instructions are timely and accurately communicated to all appropriate audit staff.

I.14 The contractor’s audit staff maintains its necessary knowledge and skills by completing continuing education and training (CET) required by CMS instructions, and documentation is maintained to support compliance by each staff member.

I.15 Supervisory reviews of the audit and settlement process are conducted and the policies and procedures for these reviews are communicated to all supervisors in accordance with CMS program instructions.

I.16 All cost reports where fraud and abuse is suspected shall be referred to the Unified Program Integrity Contractor (UPIC) in accordance with CMS and contractor instructions.

I.17 The contractor has processes and procedures in place to document that supervisory reviews by provider audit department management were completed on all provider audit Corrective Action Plans (CAPs) from the establishment of the CAPs to the implementation and validation of the CAPs.

I – Control Number

Control Objective – Provider Audit

I.18 HITECH incentive payments for Medicare subsection (d) and critical access hospitals are calculated properly, in accordance with CMS’ regulations, policies, and instructions. Data is properly entered into the FISS screens in order for the HITECH system to generate the incentive payments.

I.19 Notices of CAP Determination Letter are issued accurately and timely to Hospices and include all related documentation.

End Section 50.9 – I Controls – Provider Audit: Back to Table of Contents 50.10 – J Controls – Financial Reporting Review Requirements (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) Transactions for Medicare accounts receivable, payables, expenses shall be recorded and reported timely and accurately, and financial reporting shall be completed in accordance with CMS standards, Federal Acquisition Regulation (FAR), Financial Accounting Standards Advisory Board, Cost Accounting Standards, and Generally Accepted Accounting Principles (GAAP). For the following control objectives, the review shall focus on the following areas:

• Cost Report Settlement Process; • Contractor Financial Reports:

o Form CMS H751B (Status of Accounts Receivable – Excel Template) o HIGLAS-CMS Balance Sheets and Income Statements, o HIGLAS-CMS Treasury Report on Receivables (TROR), o HIGLAS-CMS CNC Eligibility, o HIGLAS-CMS MSP Recovery GHP/Non-GHP Receivables, o Reconcile the HIGLAS accounts receivable balance and activity to the

following reports/registers: CMS Beginning Balance Report, CMS Transaction Register, CMS Applied Collection Register, CMS Adjustment Register, CMS AR Overpayments Report, CMS Interest and Late Charges, CMS AR Balance Detail, CMS Written-Off/CNC,

• Form CMS 1521 (Schedule of Letter of Credit Draws – Excel Template) • Form CMS 1522 (Monthly Bank Reconciliation – Excel Template) • Reconciliation of Cash Balances and Cash Receipts. • HIGLAS-CMS Trial Balance and General Ledger, • HIGLAS-CMS Cash Management Reports, • HIGLAS-CMS Accounts Payable Reports:

o AP Detail Schedule of Entitlement Payables Due & Payable-Refunds Payable (216006),

o AP Detail Schedule of Entitlement Payables Due & Payable-Top Offsets (216097),

o AP Detail Schedule of Entitlement Payables Due & Payable-Settlement Matching (216098),

o AP Detail Schedule of Entitlement Payables Due & Payable-Third Party Payer (216099),

• HIGLAS-Contractor’s Monthly Bank Reconciliation Worksheet. J – Control Number

Control Objective – Financial

J.1 Financial statements and reports should include all authorized transactions that occurred for the period reported.

J.2 Valid financial transactions are prepared and approved by authorized personnel in accordance with management and CMS’ policies.

J.3 Recorded and processed transactions are correctly classified, maintained, summarized and reconciled. In addition, transactions shall be properly supported.

J.4 Segregation of duties exists and are implemented within the area of financial reporting (i.e., there shall be separate authorization, record keeping, and custody).

J.5 All assets and liabilities exist, are properly valued, and are correctly recorded in the books/records of the contractor.

J.6 Accounts receivable and accounts payable balances be properly valued and aged appropriately in accordance with CMS policies.

J.7 Contractor Financial Reports are accurate, signed/certified by authorized individuals and presented timely to CMS in accordance with Publication (Pub) 100-06 of the Medicare Financial Management Manual, Chapter 5, Financial Reporting, Section 230 and/or the HIGLAS Certification Statement.

J.8 Banking information relevant to Medicare processing is accurately stated and conforms to the tripartite agreement.

J.9 Collection Reconciliation Acknowledgement Forms (CRAF) and/or facsimiles are accurate, correctly classified, maintained and reconciled. In addition, CRAFs and/or facsimiles shall be signed/approved by authorized individuals and timely sent to CMS in accordance with CMS’s policies.

End Section 50.10 – J Controls – Financial Reporting Review Requirements: Back to Table of Contents 50.11 – K Controls – Debt Referral (MSP and Non-MSP) (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21)

K – Control Number

Control Objective – Debt Referral (MSP and Non-MSP)

K.1 Procedures are documented and followed to identify a debt eligible for referral to Treasury for cross servicing and Treasury Offset Program (TOP) prior to the debt becoming 120 days delinquent. These procedures are written and available for review. Debts eligible for referral and debts ineligible for referral are properly reported on the appropriate CMS Forms 751, Contractor Financial Reports, Status of Accounts Receivable, or the Treasury Report on Receivables and Debt Collection Activities Report. For MSP debt, see Internet Only Manual (IOM), Pub 100-05, MSP Manual, Chapter 7, Section 60 and Chapter 4, Debt Collections.

K.2 Intent to Refer Letters (ITRs) for eligible debt are sent in a timely manner in accordance with CMS instructions. Timeframes for each type of debt can be found in the IOM, Chapter 4, Debt Collections.

K.3 Responses to the ITR letter are handled timely according to CMS instructions. Appropriate systems are updated to reflect any changes to the eligibility status of the debt and these statuses are properly reported on the financial reporting forms outlined in K.1. Procedures are in place to handle undeliverable letters. Refer to the IOM, Chapter 4, Debt Collections.

K.4 All contractors review the system generated HIGLAS CMS Debt Management (CMSDM) Return to Agency (RTA) report and update HIGLAS accordingly to ensure appropriate debts are referred to Treasury as follows:

• CMS contractors who have not transitioned to HIGLAS, including the Administrative Program Accounting (APA) line of business, ensure that the HIGLAS Debt Management Module is updated timely for debt referrals as needed.

• HIGLAS contractors ensure that the HIGLAS AR transactions are updated timely for debt referrals as needed.

K.5 When there is a change to a debt that has been referred for cross servicing, CMS contractors who have not transitioned to HIGLAS, including the APA line of business, update the HIGLAS Debt Management Module to initiate recalls, collections, and adjustments timely and accurately in accordance with CMS instructions. HIGLAS contractors initiate recalls, collections and adjustments timely and accurately by updating the HIGLAS Accounts Receivable (AR) transactions as needed.

K – Control Number

Control Objective – Debt Referral (MSP and Non-MSP)

K.6 All CMS contractors ensure that the CMSDM PSC Collection Report Spreadsheets are completed timely in accordance with CMS instructions, and the appropriate source systems are updated as follows:

• CMS contractors who have not transitioned to HIGLAS, including the APA line of business, ensure that the HIGLAS Debt Management Module is updated timely with refund/adjustment information as needed.

• HIGLAS contractors, including the APA line of business, ensure that the HIGLAS AR transactions are updated timely and accurately with the refund/adjustment information as needed.

K.7 Treasury Cross-Servicing Dispute Resolution forms are researched, resolved, and responded to Treasury timely in accordance with CMS instructions. Procedures are in place and are being followed to respond to these disputes/inquiries, update the appropriate system, and properly report the status and balance of the debt in the financial reporting forms.

K.8 All CMS contractors ensure that the CMSDM RTA report spreadsheets are completed timely in accordance with CMS instructions and debts listed on the spreadsheet are properly reported on the financial reporting forms in accordance with CMS instructions. CMS contractors who have not transitioned to HIGLAS, including the APA line of business, follow the RTA Interface and Report instructions in the HIGLAS Debt Management Module training guide.

K.9 Contractors ensure that debts have the correct status when the debt is referred to Treasury and retains this correct status while at Treasury.

End Section 50.11 – K Controls – Debt Referral (MSP and Non-MSP): Back to Table of Contents

50.12 – L Controls – Non-MSP Debt Collection (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) L – Control Number

Control Objective – Non-MSP Debt Collection

L.1 All overpayments that meet the applicable threshold should be demanded. Demand letters initiate the collection of a provider debt as well as inform the provider of the existence of the debt, their appeal rights with respect to the debt, and the ramifications if the debt is not paid or an ERS agreement is not reached within a specified time period in accordance with CMS instructions. The content of manually created demand letters are reviewed and approved according to CMS guidelines. The demand letter shall be issued, printed mailed timely, and maintained, in accordance with CMS instructions at Pub 100-06, chapters 3 and 4.

L.2 Extended Repayment Schedules (ERSs) shall be analyzed for approval or denial by a supervisor in accordance with CMS instructions. The supervisor’s review includes monitoring all approved ERSs, the complete financial analysis of the provider’s application, compliance with the ERS, and the referral to CMS when necessary in accordance with CMS instructions at Pub 100-06, Chapters 3 and 4.

L.3 Interest is calculated and applied correctly and timely in accordance with CMS instructions at Publication 100-06, Chapters 3 and 4. The interest rate is updated in accordance with the notice of the new interest rate for Medicare Overpayments and Underpayments notification. Interest changes are updated in all applicable systems.

L.4 Bankruptcy cases are handled in accordance with CMS instructions and instructions given by the Office of General Counsel (OGC). An audit trail of the overpayment shall exist before and after the bankruptcy filing to ensure that Medicare’s best interest can be represented by OGC. Contractors shall maintain, track, and update the status of a bankruptcy in accordance with CMS instructions at Pub 100-06, Chapters 3 and 4.

L.5 Provider debt is collected timely, completely, and accurately with an appropriate audit trail of all collection activity and attempts of collection activity in accordance with CMS instructions at Pub 100-06, Chapters 3 and 4.

L.6 Control number L.6 reserved. Control not in use as of IOM revision number 214.

L.7 Timely review and processing of all 838 Credit Balance Reports. Ensure that all reported credit balances are collected and properly processed in accordance with CMS instructions in accordance with CMS instructions at Pub 100-06, Chapter 12.

L – Control Number

Control Objective – Non-MSP Debt Collection

L.8 For overpayments subject to the limitation on recoupment under the Medicare Modernization Act (MMA), recoupment is stopped within the set timeframes for the receipt of requests filed for the redetermination and reconsideration levels of appeal. Once both levels of appeal are completed and CMS prevails, collection activities, including revised demand letters and internal recoupment may resume within the timeframes set forth in accordance with 42 CFR section 405.379 and Publication 100-06 Chapter 3, Section 200.

L.9 Contractors shall calculate the 935 interest on favorable and/or partially favorable decisions determined by the ALJ and subsequent appeal levels. The calculations shall be completed within the set timeframes on the recouped amounts that were applied to the principal balance only. Voluntary payments are excluded for purposes of the calculation of 935 interest. After the amount is calculated, the Contractor shall issue a refund check to the provider. Contractors shall update, track, and maintain the appeal status on overpayments in the applicable systems in accordance with 42 CFR section 405.379 and Publication 100-06 Chapter 3, Section 200.

End Section 50.12 – L Controls – Non-MSP Debt Collection: Back to Table of Contents 50.13 – M Controls – Provider Enrollment Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) M – Control Number

Control Objective – Provider Enrollment

M.1 Review the Medicare enrollment applications (paper CMS-855 or Internet-based Provider Enrollment Chain and Ownership System enrollment application) and take appropriate action in accordance with CMS guidelines in the Publication 100-08, Chapters 10 and 15 of the Program Integrity Manual (PIM).

M.2 Reassignments of benefits are made in accordance with Publication 100-04, Chapter 1, Section 30.2 of the Medicare Claims Processing Manual and Publication 100-08, Chapter 10 and 15 of the PIM.

M.3 Control number M.3 reserved. Control not in use as of this IOM revision.

End Sections 50.13 – M Controls – Provider Enrollment and 50 – List of CMS Contractor Control Objectives: Back to Table of Contents 60 – CMS Contractor Cycle Memo (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) This outline is provided to give the CMS contractor some guidelines on writing a cycle memo. The CMS contractor cycle memo narrative is a written summary for the transaction process. The narrative describes the initial point, the processing type, completion point, key activities, and supervisory or management review. Within the cycle memo, the key controls should be clearly identified by highlighting or underlining and should be clearly numbered with the control activity numbering structure so controls may be cross referenced to other documentation such as the control deficiency log and/or corrective action plans. The key controls are identified for A-123 testing. The key controls are those controls designed to meet the control objectives and cover management’s financial statement assertions. They are the controls that management relies upon to prevent and detect material errors and misstatements. Back to Table of Contents 60.1 - CMS Contractor Cycle Memo Outline (Rev. 308, Issued: 10-26-18 Effective: 09- 01- 18, Implementation: 11-27-18) The financial reporting cycle memo shall include the following sections in the, “Table of Contents”: Section I. Objective The objective of the cycle memo is to describe the preparation and reporting of financial processes performed by the CMS contractor. Section II. Introduction The purpose of the introduction is to provide sufficient background on the process. An example of an introduction would be: The CMS utilizes contractors to manage and administer the Medicare program. Medicare contractor financial reports provide a method of reporting financial activities by the contractors as required by the Chief Financial Officers (CFO) Act of 1990. The CMS contractors are required to maintain accounting records in accordance with government accounting principles and applicable government laws and regulations. Section III. Interface with Other Cycles

The contractor shall show what cycle memos interface or relate to other cycle memos such as the accounts receivable, accounts payable, claims expense or other. Contractors may combine related cycles such as the accounts payable and claims expense. Section IV. Current Environment The purpose of the current environment is to describe the processes in place and to identify the controls within those processes. The Medicare contractor financial reporting environment should show that it has established and maintained an effective commitment to internal controls over financial reporting. Internal controls shall be established and assessments shall be designed to provide reasonable assurance and confidence those obligations and costs are in compliance with applicable laws and regulations. Funds and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation. Revenues and expenditures applicable to the operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over assets. End Sections 60.1 – CMS Contractor Cycle Memo Outline and 60 – CMS Contractor Cycle Memo: Back to Table of Contents

70 – List of Commonly Used Acronyms (Rev. 10614, Issued: 03-23-21, Effective: 10-01-20, Implementation: 04-22-21) Acronym Definition A/B Medicare Part A / B AICPA American Institute of Certified Public Accountants AO Authorizing Official AP Account Payable A&R Audit & Reimbursement AR Account Receivable AIFMA Associate IFM Administrator ARS Acceptable Risk Safeguards ART Analytical, Reporting, & Tracking ATO Authority to Operate BCRC Benefit Coordination & Recovery Center BDS Beneficiary Data Streamlining BPSSM Business Partners Systems Security Manual CAP Corrective Action Plan CERT Comprehensive Error Rate Testing CET Continuing Education and Training CFACTS CMS FISMA Controls Tracking System CFO Chief Financial Officers Act of 1990 CMBRW Contractor’s Monthly Bank Reconciliation Worksheet CMD Contractor Medical Directors CMS Centers for Medicare and Medicaid Services CNC Currently Not Collectible COR Contracting Officer Representative CPA Certified Public Accountant CPE Contractor Performance Evaluation CPIC Certification Package for Internal Controls CR Change Request CRAF Collection Reconciliation Acknowledgement Forms CRC Commercial Repayment Center CUECs Complementary User Entity Controls CWF Common Working File DCS Debt Collection System DD Day/Date Number (01 – 31) DME Durable Medical Equipment DPNA Denial of Payment for New Admissions DPP Duplicate Primary Payment ECRS Electronic Correspondence Referral System EDC Enterprise Data Center EDS Electronic Data System EOB Explanation of Benefits ERM Enterprise Risk Management

Acronym Definition ERS Extended Repayment Schedule FAR Federal Acquisition Regulation FISMA Federal Information Security Management FISS Fiscal Intermediary Standard System FMFIA Federal Managers’ Financial Integrity Act of 1982 FPLP Federal Payment Levy Program FR Financial Reporting FY Fiscal Year GAAP Generally Accepted Accounting Principles GAO Government Accountability Office GHP Group Health Plan(s) GSS General Support System HHS The US Department of Health and Human Services HIGLAS Healthcare Integrated General Ledger Accounting System HITECH Health Information Technology for Economic and Clinical Health ICOFR Internal Controls Over Financial Reporting ICS Internal Control Standards ID Identifier IFM Innovation & Financial Management Group IOM Internet Only Manual IPRS Improper Payment Reduction Strategy IRL Intent to Refer Letters IRS Internal Revenue Service ISPG Information Security and Privacy Group IT Information Technology ITR Intent to Refer IUR Informational Unsolicited Response JOA Joint Operating Agreement MAC Medicare Administrative Contractor MBES Medicaid Budget and Expenditure System MCS Multi-Carrier System MD Maryland MM Month Number (01 – 12) MMA Medicare Prescription Drug, Improvement, and Modernization Act

of 2003 MR Medical Review MW Material Weakness MSP Medicare Secondary Payer MSPPAY Medicare Secondary Payer Payment Module MSPRC Medicare Secondary Payer Recovery Contractor MSR Monthly Status Report NARA National Archives and Records Administration NPR Notices of Program Reimbursement NVA/ST Network Vulnerability Assessment / Security Testing OGC Office of General Counsel

Acronym Definition OIG Office of Inspector General OMB Office of Management and Budget PDAC Pricing, Data Analysis, and Coding PIM Program Integrity Manual POA&M Plan of Action and Milestone POC Point of Contact POE Provider Outreach and Education PRRB Provider Reimbursement Review Board PTS Provider Tracking System Pub Publication QIO Quality Improvement Organization RA Remittance Advice RO Regional Office RAC Recovery Audit Contractor RCA Root Cause Analysis RDS Retiree Drug Subsidy RMH Risk Management Handbook RRB Railroad Retirement Board RTA Returned to Agency SA&A Security Assessment and Authorization SAR Strategy Analysis Report SD Significant Deficiency SDLC System Development Life Cycle SMAC Specialty Medicare Administrative Contractor SOW Statements of Work SSAE 18 Statement on Standards for Attestation Engagements Number 18 SSM Shared System Maintainer SSP System Security Plan STAR System Tracking for Audit and Reimbursement STC Single Testing Contractor TDL Technical Direction Letter TOP Treasury Offset Program TROR Treasury Report on Receivables UDR Uniform Desk Review UPIC Unified Program Integrity Contractor(s) USGAO United States General Accounting Office VDC Virtual Data Center VMS Viable Medicare System VP Vice President XLC eXpedited Life Cycle 20YY Year Number (e.g. 2019, 2020, 2021, etc.) ZPIC Zone Program Integrity Contractor(s)

End Section 70 – List of Commonly Used Acronyms: Back to Table of Contents

Transmittals Issued for this Chapter

Rev # Issue Date Subject Impl Date CR# R10614FM 03/23/2021 The Fiscal Year 2021 Updates for the CMS

Internet Only Manual (IOM) Publication (Pub.) 100-06, Medicare Financial Management Manual, Chapter 7 - Internal Control Requirements

04/22/2021 12028

R331FM 11/15/2019 The Fiscal Year 2020 Updates for the CMS Internet Only Manual (IOM) Publication (Pub.) 100-06, Medicare Financial Management Manual, Chapter 7 - Internal Control Requirements

12/17/2019 11487

R308FM 10/26/2018 The Fiscal Year 2019 Updates for the Centers for Medicare & Medicaid Services (CMS) Internet Only Manual (IOM) Publication (Pub.) 100-06, Medicare Financial Management Manual, Chapter 7 - Internal Control Requirements

11/27/2018 10915

R301FM 03/19/2018 The Fiscal Year 2018 Updates for the Centers for Medicare and Medicaid Services (CMS) Internet Only Manual (IOM) 100-06 The Medicare Financial Management Manual, Chapter 7 - Internal Control Requirements

06/19/2018 10400

R300FM 03/16/2018 The Fiscal Year 2018 Updates for the Centers for Medicare and Medicaid Services (CMS) Internet Only Manual (IOM) 100-06 The Medicare Financial Management Manual, Chapter 7 - Internal Control Requirements- Rescinded and replaced by Transmittal 301

06/19/2018 10400

R278FM 12/16/2016 Medicare Financial Management Manual, Chapter 7, Internal Control Requirements

01/19/2017 9819

R256FM 10/16/2015 Medicare Financial Management Manual, Chapter 7, Internal Controls

11/17/2015 9320

R242FM 10/10/2014 Medicare Financial Management Manual, Chapter 7, Internal Controls

11/11/2014 8885

R228FM 09/27/2013 Medicare Financial Management Manual, Chapter 7, Internal Controls

10/28/2013 8438

R214FM 10/19/2012 Medicare Financial Management Manual, Chapter 7, Internal Control Requirements

11/20/2012 8040

R194FM 09/09/2011 Medicare Financial Management Manual, Chapter 7-Internal Control Requirements

10/11/2011 7555

R179FM 12/23/2010 Medicare Financial Management Manual, Chapter 7-Internal Control Requirements

01/25/2011 7230

R164FM 01/15/2010 Chapter 7, Internal Control Requirements Update

11/23/2009 6659

R161FM 10/23/2009 Chapter 7, Internal Control Requirements Update – Rescinded and replaced by Transmittal 164

11/23/2009 6659

R150FM 04/02/2009 Chapter 7, Internal Control Requirements Update

03/09/2009 6249

R147FM 02/06/2009 Chapter 7, Internal Control Requirements Update – Rescinded and replaced by Transmittal 150

03/09/2009 6249

R132FM 10/05/2007 Chapter 7, Internal Control Requirements Update

11/05/2007 5701

R117FM 02/12/2007 Internal Control Requirements Update 01/29/2007 5429 R116FM 01/31/2007 Internal Control Requirements Update –

Replaced by Transmittal 117 01/29/2007 5429

R112FM 12/29/2006 Internal Control Requirements Update-Replaced by Transmittal 116

01/29/2007 5429

R103FM 07/21/2006 Internal Control Requirements Update 07/24/2006 5234 R95FM 04/28/2006 Internal Control Requirements Update 05/30/2006 4334 R66FM 03/04/2005 Internal Control Requirements Update 04/04/2005 3655 R34FM 02/06/2004 Internal Control Requirements Update 03/08/2004 3006 R15FM 02/07/2003 Federal Managers' Financial Integrity Act 03/21/2003 2513 R11FM 09/27/2002 Corrective Action Plans 09/27/2002 2287 R07FM 08/30/2002 Initial Publication of Chapter 10/01/2002 2231

Back to top of Chapter